DATA PROCESSING AGREEMENT

Last Updated: 15 July, 2024

This Data Processing Agreement including its annexes, schedules, and appendices (“Agreement”, “Data Processing Agreement,” or “DPA”) will be effective and replace any previously applicable data processing terms and shall supersede all other terms related to data processing between the Parties.

Between:

(1) User, a company incorporated under the laws of the Data Controller Country with its User Registered Address (the “User”, “Data Controller” or the “Controller”); and

(2) AfterShip (“AfterShip”, the “Data Processor” or “Processor”)

(each a “Party” and collectively the “Parties”).

Recitals

A. Data Controller provides goods and/or services to End-Users. Data Controller acts as the controller of Personal Data in the course of providing goods and/or services to End-Users.

B. Data Processor will process Personal Data on behalf of Data Controller to enable the Data Processor to provide Services to Data Controller pursuant to the Main Agreement (the “Purpose”), and Data Controller will make Personal Data available to Data Processor in connection with this Purpose.

C. The Parties intend that the processing activities carried out by Data Processor on behalf of Data Controller shall comply with the provisions of this Agreement.

1. Definitions

Words and expressions used in this Agreement but not defined herein shall have the meaning (i) attributed to them in Main Agreement or, if not defined in said document(s), (ii) given to such words and expressions in the Applicable Data Protection Laws.

In the present Agreement, when used with the initial letters capitalized, in addition to terms defined elsewhere in the Agreement, the following terms shall have the following meanings:

AfterShip Affiliate means any entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, AfterShip.

AfterShip Customers means any and all End-Users using the Application which are AfterShip customers and uses the AfterShip Package Tracker App.

Applicable Data Protection Laws means all data protection and privacy laws applicable to the Personal Data and processing activities in the framework of the Services and DPA, which may include namely but not exclusively, as applicable: (i) the General Data Protection Regulation (2016/679) (“GDPR”), (ii) the "US Data Protection Laws," (iii) the UK Data Protection Act 2018 (“UK GDPR”) and (iv) any and all data protection laws and regulations applicable to the Personal Data in question, in each case as amended, superseded or replaced from time to time.

AfterShip Package Tracker App means the mobile software application of AfterShip which AfterShip Customers use to allow them to access, manage and process their Mobile App Data.

Authorized Carriers means the carriers described in Schedule B which are independent controllers of the relevant Personal Data and to which Data Processor is authorized to transfer Personal Data.

Authorized Subprocessors means the subprocessors described in Schedule B which are expressly authorized by Data Controller to process the Personal Data.

Data Controller Country means the country under which Data Controller is incorporated as included in its User Registered Address.

EEA/UK Adequate Countries are all countries (i) in respect of Personal Data which is subject to the GDPR, the European Economic Area and any other territory which the European Commission has determined ensures an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR and (ii) in respect of Personal Data which is subject to the UK GDPR, the United Kingdom and any other territory which the UK Secretary of State has by regulations specified ensures an adequate level of protection for Personal Data pursuant to Article 45 of the UK GDPR and Section 17A of the UK Data Protection Act 2018.

Effective Date shall mean (i) the date on which Data Controller accepted, or the parties otherwise agreed to, this Agreement as shown on the User Account or (ii) the date of the Service Order, whichever being applicable between the Parties.

End-User means any individual or entity whose Personal Data is being processed by AfterShip as part of the Service provided to the User.

EU SCCs means the standard contractual clauses approved by the European Commission in the decision annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 as may be amended, superseded, or replaced from time to time and available here.

Applicable EU SCCs means either (i) the EU SCCs in Schedule C(1) or (ii) in case Section 2.4 is applicable, the EU SCCs in Schedule C(2).

Main Agreement means all relevant agreements and/or terms applicable to the Parties in connection with AfterShip Services including AfterShip Terms of Use, the Master Service Agreement, the Subscription Plan, the Sales Order and/or the Statement of Work, whichever are being applicable between the Parties.

Mobile App Data means any Personal Data included in the following categories of Personal Data as defined in Schedule E: Shipping Information, Order Information, End-User Information, Tracking Information, End-User Behavioral Data, Shopping Cart Information, Checkout Information, Product Review Information and Shipment Review Information.

Personal Data means any information processed under this Agreement that relates to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Restricted Transfer means a transfer of Personal Data that is subject to GDPR and/or UK GDPR outside of the EEA/UK Adequate Countries.

UK SCCs means the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR as may be amended, superseded, or replaced from time to time and include the UK International Data Transfer Agreement (“UK IDTA”), and the UK International Data Transfer Addendum (the “UK Addendum”).

US Data Protection Laws means the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), and other similar comprehensive state privacy laws that place obligations on a controller in relation to Personal Data (as defined under such laws), and any relevant regulation, rule or other binding instrument which implements such laws, in each case as applicable and in force, and as amended, superseded, or replaced from time to time.

US Consumer means an individual that is a “consumer” as defined under US Data Protection Laws.

User Registered Address shall mean the registered address of the User as shown in the Main Agreement or, if said address is not included in the Main Agreement, as shown in the User Account.

2. Details of the Processing Operations

2.1 Data Processor will process, use, modify, collect and store the Personal Data within the meaning of Applicable Data Protection Laws as described in Schedule E. The appointed contact person for Data Processor is AfterShip Data Protection Officer with the following contact email address: [email protected].

2.2 Data Processor will process Personal Data for the entire duration of the performance of the Services for Data Controller. Personal Data shall be processed as long as necessary to fulfill the Purpose, longer as may be required by law to meet any legal retention periods or in connection with Personal Data related to acts which can have legal effects which shall be stored for evidentiary purposes for the duration of the statute of limitations. Personal Data will be retained by AfterShip based on Controller’s instructions and AfterShip retention policy.

2.3 The subject matter of the processing, including the processing operations, carried out by Data Processor on behalf of Data Controller and the instructions of Data Controller to Data Processor are described in Schedule E. The Parties expressly consider this DPA as being a set of documented instructions from Controller to Processor.

2.4 If User acts as a data processor to another data controller regarding Personal Data processed under this DPA, the following shall apply with respect to the Processing of said Personal Data:

  1. User shall warrant, on an ongoing basis, that the relevant data controller has expressly authorized User, in writing, to (i) provide to AfterShip the instructions included in this DPA, (ii) appoint AfterShip as data subprocessor of the Personal Data, (iii) to proceed to the Personal Data Transfers as described in Section 5 and (iv) authorize AfterShip’s engagement of the Authorized Subprocessors as described in Section 7;
  2. Sections 3.1, 3.2.1 of the DPA shall not be applicable;
  3. User shall immediately forward to the relevant data controller any notice provided by AfterShip under Sections 4.2.3 (breach notification), 7.1 (opportunity to object to Authorized Subprocessor changes), or that refers to any EU SCCs;
  4. User may make available to the relevant data controller any information made available by AfterShip under Schedule A and Schedule B;
  5. Notwithstanding anything to the contrary in the Agreement or in this DPA, User shall indemnify and hold AfterShip harmless from and against any and all actions, demands, liability, claims, damages, losses, penalties, fines and expenses including attorneys' fees and court costs, made by any data subject, any data controller or any other third party, due to, arising out of, resulting from or in connection with (i) an action or omission committed by AfterShip, to the extent that such action or omission resulted from User’s (or any data controller’s) instructions to AfterShip; (ii) User’s failure to comply with this Section 2.4; or (iii) User’s failure to comply with its obligations as data processor under Applicable Data Protection Laws or any agreement with any data controllers.
  6. Excluding this Section 2.4, any reference to “Data Controller” or “Controller” in this DPA shall be replaced by “Data Processor” and “Processor”;
  7. Excluding this Section 2.4, any reference to “Data Processor” or “Processor” in this DPA shall be replaced by “Data Subprocessor”;
  8. The EU SCCs (processor to processor) shall apply to the Processing instead of the EU SCCs (controller to processor).
3. Obligations of Data Controller
3.1 General

3.1.1 The Controller determines the purposes and means of the Processing of Personal Data.

3.1.2 The Controller shall abide by any Applicable Data Protection Laws.

3.1.3 The Data Controller acknowledges that with respect to Personal Data provided to Data Processor pursuant to this Agreement, it shall comply with the following obligations:

  1. implementing appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with Applicable Data Protection Laws;
  2. establishing a procedure for the exercise of the rights of the individuals whose Personal Data are collected;
  3. only processing Personal Data that has been lawfully and validly collected and ensure that such Personal Data is relevant and proportionate to the respective uses;
  4. process and collect all Personal Data in a valid and lawful manner, in accordance with the legal grounds prescribed by Applicable Data Protection Laws, in particular obtaining the necessary consents and acknowledgements when required, including, for example when conducting direct marketing or in connection with Cookies or when concluding agreements with other data controllers (e.g., the Authorized Carriers);
  5. meet all transparency obligations, in particular, relative to the notification of the necessary informational elements to data subjects, including notably on the existence of international transfers and the recipients of Personal Data and demonstrate compliance with the transparency obligations by providing documentation to that effect to the Processor including any update, revision or other modification to said documents;
  6. implementing appropriate technical and organizational measures suitable for protecting the Personal Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves Personal Data transmission over a network, and against any other forms of unlawful or unauthorized processing, to ensure a level of security appropriate to the risk, in accordance with the requirements of Applicable Data Protection Laws, as well as with industry-standard; and
  7. taking reasonable steps to ensure compliance with the provisions of the Applicable Data Protection Laws and this Agreement by its personnel and by any person accessing, processing, transferring or using Personal Data on its behalf.

3.2.1 Data Controller chooses which categories of AfterShip Services will be provided in connection with the End-Users. The Controller is responsible for determining and implementing the necessary measures to ensure respect for the legal basis of the processing of Personal Data, as well as for ensuring transparency and communication of information to the End-User.

3.2.2 Data Controller recognizes that, for applicable categories of AfterShip Services, AfterShip shall use cookies, pixels and web-beacons and other tools as further described in Schedule E and in the Documentation (“Cookies”). The Controller understands that it shall implement the necessary notices and measures to ensure proper collection of End-User consent in connection with these Cookies.

3.2.3 Data Controller recognizes that some categories of AfterShip Services entail the tracking of End-User behavior as described in Schedule E and the Documentation. The Controller represents and warrants that it has conducted the requisite legal analysis to ensure compliance with Applicable Data Protection Laws in connection with said tracking.

4. Obligations of Data Processor

4.1 Data Processor undertakes to comply with all Applicable Data Protection Laws.

4.2 Data Processor shall:

  1. 4.2.1 taking into account the nature of the processing, assist Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Data Controller's obligation to respond to requests for exercising the data subject's rights under Applicable Data Protection Laws provided however that Data Processor may charge an additional fee for the administration of such requests;
  2. 4.2.2 assist Data Controller in ensuring compliance with the obligations under Applicable Data Protection Laws in relation to the security of processing, to the notification of any breach of Personal Data to supervisory authorities and data subjects where relevant to the carrying out of data protection impact assessments where required and to prior consultation of the supervisory authority;
  3. 4.2.3 notify the Controller of any Personal Data breach relative to Personal Data processed under the Data Processing Agreement, within 48 hours after having become aware of it, unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
  4. 4.2.4 ensure that only those persons strictly necessary to perform the present Data Processing Agreement, acting under the authority of the Processor, have access to the Personal Data and are subject to the necessary confidentiality obligations;
  5. 4.2.5 at the choice of Data Controller, delete or returns all such Personal Data to Data Controller after the end of the provision of the Products and Services under the Agreement, and delete existing copies unless applicable law requires storage of the Personal Data; and
  6. 4.2.6 make available to Data Controller all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits in this respect, including inspections conducted by Data Controller or another auditor mandated by Data Controller.

4.3 Audits. Processor uses external auditors to verify the adequacy of its security measures with respect to its processing of the Personal Data. Such audits are performed at least once annually at Processor’s expense by independent auditors chosen at Processor’s discretion and result in the generation of a confidential audit report (“Audit Report”). Upon Controller’s written request at reasonable intervals, Processor will make available to Controller a copy of Processor’s most recent Audit Report. Controller agrees that any audit rights granted by Applicable Data Protection Laws shall be deemed satisfied by these Audit Reports. To the extent that Processor’s provision of an Audit Report does not provide sufficient information or Controller is required to respond to a regulatory authority audit, Controller agrees to a mutually agreed-upon audit plan with Processor that: (a) ensures the use of an independent third party; (b) provides written notice to Processor in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Controller at Processor's then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Controller; and (g) obligates Controller, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.

4.4 All unreasonable expenses for compliance with the foregoing obligations provided in Section 4 of this DPA, shall be borne by Data Controller.

4.5 Data Processor represents and warrants that it processes all Personal Data in accordance with the Applicable Data Protection Laws. More specifically in this respect, Data Processor ensures that it shall process all Personal Data in accordance with the Applicable Data Protection Laws on valid legal grounds.

4.6 Data Processor has implemented appropriate technical and organizational measures as provided in Schedule A to ensure a level of security appropriate to the particular risks that are presented by Personal Data processing activities hereunder, in particular protecting Personal Data from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed by the Processor.

5. Personal Data Transfers

5.1 Data Processor shall only process Personal Data on documented instructions from Data Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Applicable Data Protection Laws to which Data Processor is subject. In this regard and for the avoidance of the doubt, the Parties expressly consider this DPA as being a set of documented instructions from Controller to Processor.

5.2 Data Controller expressly agrees that, in order for Data Processor to provide the Services, Data Processor is duly authorized to transfer Personal Data to the Authorized Subprocessors and/or the Authorized Carriers (and to permit Personal Data to be transferred by said Authorized Subprocessors and/or Authorized Carriers) in countries situated outside of Data Controller Country which means, for EU/UK Data Controllers, in countries situated outside of EEA/UK.

5.3 To the extent that Data Processor transfers Personal Data (or permits the Personal Data to be transferred) to a country other than the country in which the Personal Data was first collected, it shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Data Protection Laws including, if applicable, taking all reasonable steps to implement one of the mechanisms foreseen under the Applicable Data Protection Laws to ensure an adequate level of protection for Personal Data processing activities.

5.4 To the extent that the transfer of Personal Data between Data Controller and Data Processor involves a Restricted Transfer:

    5.4.1. In respect of Personal Data which is subject to GDPR, the Parties agree that (i) the Applicable EU SCCs shall apply in accordance with the terms of Schedule C and with details deemed to be completed as set forth in Schedule C, (ii) the Applicable EU SCCs shall be incorporated by this reference and form an integral part of this DPA and that (iii) Data Controller shall be “Data Exporter” and Data Processor shall be “Data Importer”;

    5.4.2 In respect of Personal Data which is subject to UK GDPR, the Parties agree that (i) the Parties shall rely on the Applicable EU SCCs as completed in Schedule C and as amended by the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, (ii) the details shall be deemed to be completed as set forth in Schedule D, (iii) the UK SCCs shall be incorporated by this reference and form an integral part of this DPA and that (iv) Data Controller shall be “Data Exporter” and Data Processor shall be “Data Importer”.

6. US Consumers

This Section shall apply to the extent the US Data Protection Laws are applicable to the Personal Data being processed and that Data Processor processes Personal Data about US Consumers that are subject to US Data Protection Laws. In this Section, “Business Purpose”, “Commercial Purpose”, “Deidentified”, “Sell”, “Sale”, “Service Provider” shall have the meanings ascribed to them in US Data Protection Laws, and “Share” shall have the meaning ascribed to it in the CCPA.

6.1 With respect to such Personal Data, and to the extent required by applicable US Data Protection Laws, Data Processor will:

    6.1.1 not retain, use or disclose Personal Data outside its direct business relationship with Data Controller or for any purpose other than to provide the Services, including retaining, using or disclosing such Personal Data for a Commercial Purpose other than performing the Business Purposes described in the Agreement, or as otherwise permitted by US Data Protection Laws;

    6.1.2 not Sell or Share such Personal Data;

    6.1.3 not combine Personal Data collected in connection with performing the Services with Personal Data received from another source or collected from its own interactions with the individual, except to perform the Services, with consent or direction, or as otherwise permitted by US Data Protection Laws;

    6.1.4 in connection with processing the Personal Data, comply with provisions of the US Data Protection Laws applicable to Service Providers or Processors, including providing the same level of privacy protection required of Data Controllers by the US Data Protection Laws, and notify Data Controller if it determines it can no longer meet these obligations (Data Controller may, upon receiving such a notice, take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Data Processor);

    6.1.5 only engage Authorized Subprocessors in compliance with US Data Protection Laws and governed by a contract between Data Processor and Authorized Subprocessor that requires comparable protections to this DPA;

    6.1.6 take reasonable and appropriate steps, upon reasonable written notice from Data Controller and subject to the confidentiality obligations set out in the Terms of Use, to assist Data Controller with confirming that Data Processor’s use of Personal Data is consistent with Data Controller’s obligations under US Data Protection Laws;

    6.1.7 upon request, provide a report of a reasonable assessment of Data Processor’s policies and technical and organizational measures in support of its obligations under applicable US Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments; and

    6.1.8 upon termination of the Agreement, (i) promptly initiate its purge process to delete or Deidentify the Personal Data (which shall be Deidentified in accordance with US Data Protection Laws) and (ii) upon request, within 60 days of termination, return such Personal Data to Data Controller.

6.2 With respect to such Personal Data, and to the extent required by applicable US Data Protection Laws, Data Controller represents and warrants that Data Controller:

    6.2.1 has obtained any necessary consents, rights and authorizations and given any necessary notices to individuals regarding Data Controller’s disclosure of Personal Data to Data Processor to enable Data Processor’s processing of Personal Data to provide the Services, as required by US Data Protection Laws;

    6.2.2 will not share with Data Processor any Personal Data of any individual subject to the US Data Protection Laws who has exercised an opt-out that Data Controller has committed to honoring;

    6.2.3 will not share with Data Processor sensitive data of any US Consumer who has not consented to the processing of their sensitive data;

    6.2.4 will inform Data Processor of any rights requests individuals make to Data Controller pursuant to US Data Protection Laws that Data Processor must comply with and provide the information necessary for Data Processor to comply with the requests; and

    6.2.5 will be solely liable for its compliance with US Data Protection Laws.

Parties agree that (i) that the existence of this DPA does not constitute an admission that sharing of Personal Data constitutes a Sale or a Share and (ii) that Data Processor provides no monetary or other valuable consideration to Data Controller in exchange for said Personal Data.

7. Authorized Subprocessors

7.1 Data Controller expressly agrees that Data Processor may use and engage the Authorized Subprocessors for carrying out processing activities and to fulfill its contractual obligations under this DPA. Any intended changes concerning the addition or replacement of these Authorized Subprocessors shall be notified to Data Controller. Data Controller may object to such changes within fifteen (15) days from the notice by writing to [email protected]. All objections must be reasonably motivated. In such case, the Processor will take reasonable steps to accommodate Data Controller, provided however that in the event a mutual agreement cannot be found, Data Processor shall be authorized to immediately terminate all Services to Data Controller without further indemnification or notice notwithstanding any other provisions in the DPA and/or in the Main Agreement.

7.2 Where Data Processor engages an Authorized Subprocessor for carrying out specific processing activities on behalf of Data Controller, Data Processor shall impose on that Authorized Subprocessor data protection obligations at least as stringent as those set out herein, by way of a contract or other legal act under applicable law. Data Processor shall remain liable to Data Controller for the performance of the Authorized Subprocessors’ obligations.

8. Authorized Carriers

Data Controller duly authorizes Data Processor to transfer Personal Data to the Authorized Carriers. Data Controller expressly acknowledges that Authorized Carriers are independent controllers of the relevant Personal Data.

For the avoidance of the doubt, Data Controller expressly acknowledges that Authorized Carriers shall not be deemed as subprocessors or subcontractors of Data Processor under the Applicable Personal Data Laws. Data Processor shall not be liable to Data Controller for the processing activities carried out by Authorized Carriers.

9. Support

User requests may involve an access, by AfterShip personnel, of User's Account and AfterShip’s system by using User's login credential, email address(es) and password(s) for the purpose of providing support, debugging and assistance ("Support Access"). This Support Access may include access to Personal Data. If AfterShip determines that Support Access is necessary, User expressly authorises AfterShip to enable Support Access and User shall provide AfterShip the necessary credentials to provide Support Access. Additionally, AfterShip may determine that the processing of certain types of Personal Data may only be done pursuant to Support Access, and if such Support Access is withdrawn, AfterShip will not be able to process such Personal Data.

Notwithstanding with the foregoing, User retains the right to deactivate Support Access at its sole discretion through its Account settings. In case of the foregoing and Service was predicated on Support Access, in such event, AfterShip shall not be responsible for any inability to provide the Services which were subject to having Support Access.

10. AfterShip Package Tracker App

AfterShip provides services to AfterShip Customers using AfterShip Package Tracker App, said services being provided by AfterShip independently from the Main Agreement. Data Controller recognizes that AfterShip will process Mobile App Data upon AfterShip Customer’s request through the AfterShip Package Tracker App. This Processing based on AfterShip Customer’s request shall not be subject to this Agreement.

Any set of Mobile App Data processed upon AfterShip Customer’s request shall be deemed under the control of AfterShip for the performance of AfterShip Customer’s requests through the AfterShip Package Tracker App. The User acknowledges that, in the framework of the performance of AfterShip Customer’s requests through the AfterShip Package Tracker App, AfterShip shall be considered as an independent controller of said Mobile App Data.

11. Limitation of Liability and Indemnity

NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS DPA, THE PARTIES AGREE THAT THE LIMITATIONS OF LIABILITY AND INDEMNITIES PROVIDED IN THE MAIN AGREEMENT SHALL BE APPLICABLE TO THIS DPA, EXCEPT FOR SECTION 2.4(e) WHICH SHALL NOT BE PREJUDICED.

12. Other Provisions

12.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Singapore.

12.2 The Parties to this Agreement irrevocably agree that the courts of Singapore shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).

12.3 This Agreement, together with the schedules, annexes, and appendices thereto contain the entire understanding of the parties with respect to the subject matter hereof and supersede all prior agreements and understandings, oral or written, with respect to such matters, which the parties acknowledge have been merged into such documents, schedules, annexes, and appendices.

12.4 In the event of any conflict or inconsistency between the terms and provisions of this DPA and the terms and provisions of the Main Agreement, the terms and provisions of this DPA shall govern and control. In the event of any conflict or inconsistency between the terms and provisions of this DPA and the terms and provisions of the Applicable EU SCCs (or UK SCCs), to the extent said EU SCCs (or UK SCCs) are applicable, the Applicable EU SCCS (or UK SCCs) shall govern and control.

12.5 Pursuant to Article 27 of the General Data Protection Regulation (GDPR), AfterShip has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You may contact EDPO regarding matters pertaining to the GDPR:

Please contact our Data Protection Officer, Nicolas Magrez, by email or mail, respectively at [email protected] or WeWork, Paseo de Gracia 17, 08007 Barcelona, Spain.

SCHEDULE A

Technical and Organizational Security Measures

In accordance with Clause 4 of the Agreement, Data Processor will adopt and maintain appropriate (including organizational and technical) security measures in dealing with the Data in order to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of such Data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. In determining the technical and organizational security measures required by Clause 4 of the Agreement, Data Processor will take account of the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Data Processor will implement the specific security measures as described here below:
Category Subcategory Relevant Security Issue AfterShip Implementation
Privacy / Security Data Retention and Storage Data storage All data, including collected personal data, are stored in the cloud through the cloud services as shown in the Authorized Subprocessors’ list. The location of the data centers is further described in the Authorized Subprocessors list.
Privacy / Security Data Retention and Storage Personal data retention and erasure There are defined retention periods for collected personal data. If the personal data are no longer required to be retained, they are systematically destroyed and/or anonymized.
Security Access Control Management Implemented password policies, password controls
Encryption / hashing of passwords
AfterShip has implemented internal password policies to specify security requirements and avoid employees using weak passwords. 2FA authentication is enabled to enforce account security. When stored by AfterShip, passwords are hashed by SHA-1 or SHA-256 algorithm with a random salt.
Security Access Control Management Immediate removal of access rights for users leaving the organization Employee off-boarding procedures are in place to ensure employees' access rights are removed when leaving.
Security Business Continuity Management Backup policies and frequency Daily backup performed by cloud services at primary and secondary data centers
Security Business Continuity Management Disaster recovery sites in multiple/diverse geographic locations The data centers hosting the cloud services are located in different locations to reduce risks of data loss..
Privacy / Security Governance Security awareness training program currently in place: topics and frequency

Security awareness training is implemented when onboarding employees.

Main topics covered during the training include namely: general obligations under various information security policies, standards, procedures, guidelines, applicable security related laws and regulations, contractual terms and standards of ethics and acceptable behavior.

Privacy / Security Incident Response Management Incident response procedures in place
Existence of a team with defined roles and responsibilities
Existence of communication procedures regarding security incidents such as data breaches
Notification timeframe regarding third parties

Data breach response team and plan are in place (Detect, Contain, Analyze, Notify, Respond, Document, Learn)

Data breach response team checklist, with defined
roles and responsibilities



SCHEDULE B

List of Authorized Subprocessors

1. The following Authorized Subprocessors: https://www.aftership.com/legal/subprocessors
2. Any and all AfterShip Affiliates.

List of Authorized Carriers


The following Authorized Carriers: https://docs.aftership.com/api/4/supported-couriers



SCHEDULE C

STANDARD CONTRACTUAL CLAUSES - Decision (EU) 2021/914

Schedule C.1 - EU SCCs (controller-to-processor)

Terms applicable to the EU Standard Contractual Clauses:

a. Module Two (Controller to Processor) of the EU Standard Contractual Clauses apply where the Controller is Data Exporter and the Processor is Data Importer;

b. Clause 7 - the optional docking clause will apply;

c. Clause 9 - Option 2 will apply and the time period for prior notice of Authorized Sub-processor changes is fifteen (15) days;

d. Clause 17 - Option 1 will apply and the Clauses will be governed by the law of Belgium;

e. Clause 18 - Disputes will be resolved before the French speaking Court of Brussels;

f. Any options not specifically mentioned do not apply;

g. Annex I will be completed as follows:

  • Parties’ addresses, contact details, etc. are described in the definitions of the Parties provided in this DPA;
  • The appointed contact person for the Processor is described in Section 2 of this DPA;
  • The description of the transfer is set forth in Section 2 and Schedule E of this DPA;
  • The competent supervisory authority shall be defined in accordance with clause 13 of the EU SCCs;

h. Annex II will be completed as set forth in Schedule A of this DPA;

i. Annex III will be completed as set forth in Schedule B of this DPA.

Schedule C.2 - EU SCCs (processor-to-processor)

Schedule C.2 shall consist in all the clauses provided in Schedule C.1 excluding however clause a. which shall be deleted and replaced in its entirety by the following paragraph:

“Module Three (Processor to Processor) of the EU Standard Contractual Clauses apply where the User is Data Exporter and AfterShip is Data Importer.”


SCHEDULE D

UK Addendum

PART 1 - Tables

Table 1: Parties. Start date: As set forth in the Main Agreement. Parties’ details: As set forth in this DPA and in the Main Agreement. Key Contact: See Section 2 of this DPA and/or the Main Agreement.

Table 2: Selected SCCs, Modules and Selected Clauses. Addendum EU SCCs: the Standard Contractual Clauses approved by the European Commission in the decision annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 as may be amended, superseded, or replaced from time to time and available here with details and applicable clauses as described in Schedule C.

Table 3: Appendix Information. “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

  • Annex 1A: List of Parties: as defined in the DPA
  • Annex 1B: Description of Transfer: as set forth in Schedule E and other sections of the DPA
  • Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: as set forth in Schedule A of the DPA
  • Annex III: List of Sub processors: as set forth in Schedule B of this DPA.

Table 4: Ending this Addendum when the Approved Addendum Changes. The following Parties may end this Addendum as set out in Section ‎19: Importer and Exporter.

PART 2: Mandatory Clauses

The Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.



SCHEDULE E
1. How AfterShip Collects Personal Data

AfterShip collects the different categories of Personal Data namely through the following means:

  • Through the AfterShip API
  • Though the User individual communication
  • Through the Authorized Carriers systems (i.e. through API, web-crawler, etc.)
  • Through Cookies (i.e. cookies, pixels, or web beacons placed on the User’s website)
  • Through platforms (e.g., Shopify, Magento, TikTok, etc.) APIs or webhooks

2. Cookies, Pixels and Web Beacons' Management

If Cookies are used in accordance with the relevant category(ies) of Services provided to User by AfterShip, as shown in Schedule E, section 6, the following clauses shall apply:

a. AfterShip will use End-Users’ IP addresses to determine whether the relevant End-User is subject to EU General Data Protection Regulation, UK General Data Protection Regulation or California Consumer Privacy Act.

b. Users shall ensure that they provide consent collection mechanisms in connection with the Cookies, such as cookie banners, privacy policies and cookies policies in compliance with the Applicable Data Protection Laws and particularly (but not exclusively) for End-Users based in EU/UK and California for GDPR compliance, UK GDPR compliance and CCPA compliance.

c. For Users using Shopify, if the cookie banner consent mechanism in Shopify is installed, then AfterShip will install Cookies for the EU, UK and California. For other non-Shopify Users, AfterShip cannot know if consent is secured and it is User’s responsibility to ensure that the consent collection mechanisms are properly in place.

d. Users may send an email to AfterShip customer support: [email protected] for any questions regarding the Cookies.

3. Description and Nature of Processing Activities and Services

Service Description Category of Services Description of the Processing Activities and the Service
AfterShip Tracking Tracking (API) Service that enables Users to retrieve tracking information from AfterShip API
AfterShip Tracking Tracking (Platform)

Service that enables Users to provide a tracking experience to End-Users:
- to retrieve tracking information from AfterShip
- to manage the delivery status of all shipments
- to monitor shipping performance
- to customize tracking experience

AfterShip Tracking Branded tracking page Service that enables Users to provide branded parcel-tracking page to End-Users
AfterShip Tracking AI Recommendation Service that enables Users to provide product recommendation to End-users
AfterShip Tracking Email and SMS notifications Service that enables Users to send delivery emails or SMS notifications to End-Users and to customize notification experience
AfterShip Tracking Notifications revenue Service that enables Users to analyze the potential gross revenue indirectly generated from email notifications when End-user purchases an item after clicking on the link received in the email notification (may also include the conversion rate)
AfterShip EDD AI-Predictive Estimated Delivery Date Widget Service with the following features:
- AI model will detect consumers' IP address for providing Estimated Delivery Date (EDD)
- provides city-to-city level of accuracy
- estimated delivery date shown on product page and checkout page
AfterShip EDD AI-Predictive Estimated Delivery Dates

Service with the following features:
- to provide estimated delivery dates
- to show estimated delivery dates on AfterShip Tracking, Branded tracking page and Notifications services
- to provide delays notifications

AfterShip Shipping N/A Service which enables User:
- to generate and print shipping labels
- to calculate and compare shipping rates
- to manifest (i.e. send data to Authorized Carriers)
- to view shipping performance
- to manage all carrier account information in one place
AfterShip Returns Returns center Service which enables User:
- to provide a branded returns experience to End-Users
- to send returns status updates notifications to End-Users
- to manage all returns request in one place
- to monitor returns performance
- to customize returns and notification experience
AfterShip Returns Returns page Service which enables Users to provide a returns page to End-Users
AfterShip Parser Parser Service which enables User to use (i) email detection services in order to detect whether an email includes relevant Order Information and (ii) email parsing services which consist in extracting the categories of data defined in this Data Processing Agreement from the Data.
AfterShip Protection Protection Service provided to Users to provide potential protection from lost, damaged, or porch pirated packages to End-Users; Insurance Provider is UPSCIA (as defined in the applicable AfterShip Protection terms)
AfterShip Protection Protection widget Service to enable End-Users to subscribe to AfterShip Protection services in the cart or checkout pages
AfterShip Email Tracking Notification Service which enables Users to send delivery emails to End-Users and to customize notification experience
AfterShip Email Marketing Service which enables Users to:
- to manage their newsletters and newsletter’s subscriptions
- to create discount coupon codes through subscription to newsletters
- to send email newsletters and automated emails for marketing purposes
- to manage contacts and identify target customer segments
- to issue and manage discount coupon codes
AfterShip SMS Tracking Notification Service which enables Users to send SMS notifications to End-Users and to customize notification experience
AfterShip SMS Marketing Service which enables Users:
- to send SMS and automated SMS for marketing purposes
AfterShip Popups & Forms Popups & Forms Service with features that enable Users:
- to manage discount coupon codes through subscription to newsletters and other means
- to show website popups and forms on their websites
AfterShip Popups & Forms Conversion tools Service to Users with features that enable Users to:
- show website popups, sales popups, and announcement bars on their websites
- change website storefront easily (e.g. add a sales sticker on image)
- send web push notifications
- add an instant search bar to their website
AfterShip Popups & Forms Recommendations Service provided to Users with features that enables End-users to find products easily with personalized product recommendations
AfterShip Page Builder Page builder Service to Users with features that enable them:
- to build conversion pages with abundant page features
- to list their stores' products
- to list their stores' product collections
- to obtain website analytics (visitors count, added to cart count, or other statistics)
AfterShip Page Builder Sections processing End-user Information Service to Users with features that enable:
- End-users to subscribe to merchant's newsletters
- End-users to get discount coupon codes through subscription to newsletters and other means
- Users to send email newsletters and automated emails for marketing purposes
- Users to manage contacts and identify target customer segments
- End-users to send feedback to merchants to build relationship
- Users to receive feedback from End-Users
AfterShip Page Builder Best sales Service enabling Users to provide hot sales or product recommendations to End-Users
AfterShip Reviews Reviews Service to Users which contains the following features:
- End-users to check previous reviews of applicable store
- End-users to submit their reviews and NPS feedback to merchants
- End-users to get discount coupon codes through submitting and sharing reviews
- Users to collect reviews from End-Users
- Users to send emails for collecting reviews and NPS feedback
- Users to manage reviews and NPS feedback
- Users to add review widgets to their website
- Users to manage referral programs
- Users to show the reviews on Google and on other sales channels
AfterShip Reviews Based on AfterShip Tracking events Service to Users with features that enable them to send a review request email when AfterShip tracking update event is triggered
AfterShip Affiliates Referral Service to Users with features that enable:
- Users to show referral program signup widget on their websites
- End-users to join referral programs and share referral links
- End-users to visit a website via referral links
- End-users to get rewards after they refer someone
AfterShip Affiliates affiliates

Service to Users with features that enable:
- Users to show referral program signup widget on their websites
- affiliates (referees) to join affiliate programs and share affiliate links
- End-Users to visit a website via affiliate links
- affiliates (referees) get rewards after they refer someone to make purchases.
- Users to see the website analytics (visitors count, added to cart count, or other statistics)

AfterShip Personalization Personalization Service with features that enable Users to provide product recommendations to End-users
Shipment Reviews Shipment reviews Service allowing End-Users to provide shipment reviews to Users
Apple Wallet Order Tracking Apple Wallet Service that enables Users to provide their End-Users with the possibility to import tracking and parcel information into their personal Apple Wallet
AfterShip Warranty Warranty Service which provides Users a tool to give a warranty experience to End-Users, including, but not limited to, tracking the returns and providing email notifications
AfterShip Warranty Branded Warranty Page Service that enables Users to branded parcel-warranty centre to provide to their End-Users
AfterShip Support Access AfterShip Support Access Support service where AfterShip accesses your Account for support, debugging and assistance

4. Categories of Data Subjects

End-Users (all categories)

Parcel Recipients (name, signed by name, link to the proof of delivery, proof of delivery file*)

*Proof of delivery file will only be provided subject to AfterShip having (i) Support Access; and/or (ii) concluded a data processing agreement with the applicable Authorized Carrier providing adequate instructions, including retention periods, which AfterShip shall implement at its sole discretion in accordance with such instructions and Applicable Data Protection Laws.

5. Frequency of the Personal Data processing and transfer (if any transfer)

Continuous

6. Categories of Personal Data processed by category of Services

See the tables below.

AfterShip Tracking AfterShip EDD AfterShip Shipping AfterShip Returns AfterShip Protection AfterShip Parser AfterShip Warranty AfterShip Warranty Apple Wallet Order Tracking
Category of Personal Data Details Tracking (API) Tracking (Platform) Branded tracking page AI Recommendation Notifications revenue AfterShip EDD AfterShip EDD (Widget) Shipping Returns Centre Branded returns page Protection Parser Warranty Branded Warranty Page Apple Wallet
Shipping Information tracking number, carrier name, shipping method, box type, parcel weight, ship date, ship from address, shipping address, number of individual packages ✖️ ✖️
Order Information order number, order value, order date, order platform tag, shipping fee, item name, item value, item amount, item link, item number, item variant, item brand, coupon information, order status
End-User Information End-User name, End-User email, end-user phone number, End-User's address, End-User platform account ID ✖️ ✖️ ✖️ ✖️ ✖️
Tracking Information delivery status, delivery location, delivery date, signed by name, expected delivery date, link to the proof of delivery, proof of delivery file ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Label & Rates Information shipping label file, shipping rates, manifest file ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Returns Information returns reason, returns method, resolution type, returns product images, refund amount, returns date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-User Behavioral Data referrer page link, current page link, page consultation start/finish, product views or clicks, adding products to cart, search, functions provided by AfterShip widgets ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-User Browser Information browser type, browser version, os type, os version ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-user IP Address geolocalisation (city, state, region, country) ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Shopping Cart Information shopping cart reference number, item name, item value, item amount, item link, item number, item variant, item brand ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Checkout Information checkout number, checkout value, checkout date, item name, item value, item amount, item link, item number, item variant, item brand, coupon code, discount amount, discount rate, coupon information ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Product Review Information review content, review date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _ama internally generated ID number of the End-User ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _am_id internally generated ID number of the End-User clicking on a link in an email or a SMS ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _am_sid internally generated ID number of the End-user browsing session ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Insurance Information insurance platform, insured amount, premium fee ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Shipment Review Information review content, review date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Warranty Information warranty reason, warranty method, resolution type, warranty product images, refund amount, warranty date, product picture ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Connected Email Information email content, email date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
AfterShip Email AfterShip SMS AfterShip Popups & Forms AfterShip Page Builder AfterShip Reviews AfterShip Affiliates AfterShip Personalization AfterShip Support Access
Category of Personal Data Details Marketing Tracking Notification Marketing Tracking Notification Conversion tools Recommendations Page builder Processing of End-User Data Best sales Reviews Based on AfterShip tracking Referral Affiliates Personalisation AfterShip Support Access
Shipping Information tracking number, carrier name, shipping method, box type, parcel weight, ship date, ship from address, shipping address, number of individual packages ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Order Information order number, order value, order date, order platform tag, shipping fee, item name, item value, item amount, item link, item number, item variant, item brand, coupon information ✖️ ✖️
End-User Information End-User name, End-User email, end-user phone number, End-User's address, End-User platform account ID ✖️ ✖️
Tracking Information delivery status, delivery location, delivery date, signed by name, expected delivery date, proof of delivery (link to the) ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Label & Rates Information shipping label file, shipping rates, manifest file ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Returns Information returns reason, returns method, resolution type, returns product images, refund amount, returns date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-User Behavioral Data referrer page link, current page link, page consultation start/finish, product views or clicks, adding products to cart, search, functions provided by AfterShip widgets ✖️ ✖️ ✖️
End-User Browser Information browser type, browser version, os type, os version ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-user IP Address geolocation (city, state, region, country) ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Shopping Cart Information shopping cart reference number, item name, item value, item amount, item link, item number, item variant, item brand ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Checkout Information checkout number, checkout value, checkout date, item name, item value, item amount, item link, item number, item variant, item brand, coupon code, discount amount, discount rate, coupon information ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Product Review Information review content, review date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _ama internally generated ID number of the End-User ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _am_id internally generated ID number of the End-User clicking on a link in an email or a SMS ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _am_sid internally generated ID number of the End-user browsing session ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Insurance Information insurance platform, insured amount, premium fee ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Shipment Review Information review content, review date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Warranty Information warranty reason, warranty method, resolution type, warranty product images, refund amount, warranty date, product picture ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Connected Email Information email content, email date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️