DATA PROCESSING AGREEMENT
Last Revised: 01/01/2022
1. About this DPA.
a) This Data Processing Agreement (“DPA”) is a legal agreement which forms an integral part of and applies in addition to the existing w3 Service Agreement (“Service Agreement”) concluded by and between the Customer (as defined in the Service Agreement) as controller and w3 and the w3 affiliate that is the contracting entity (as defined in the Service Agreement) (collectively referred to as “w3” in this DPA) as processors in connection with the provision of services, which include various data processing services, to Customer (“Services”). Signature of the Service Agreement shall be deemed to constitute signature and acceptance of this DPA, which is incorporated by reference therein.
b) This DPA consists of:
- the main body of the DPA
- Schedule 1. Description of w3’s Security Measures
Terms used in this DPA have the same meaning as those used in the Service Agreement, unless otherwise stated. If there are any conflicts or inconsistencies between the Service Agreement and this DPA, this DPA prevails.
3. Description of Personal Data.
When carrying out the Services, w3 may have access to or otherwise receive or process information relating to identified or identifiable individuals (“Personal Data”).
a) Type of Personal Data processed. Depending on how the Customer chooses to use the Services, w3 may process the following types of Personal Data:
First name, Last name; Contact information (e-mail address, home address, phone number); Language; Date of birth; IP address; Location data; Government-issued identification numbers; Financial information; Bank account details; Credit bureau reports. w3 may also process other kinds of Personal Data if Customer has chosen to collect and input such Personal Data into our Services. The Services do not require other kinds of Personal Data to function properly. w3 disclaims all liability for damages or claims associated with Customer’s choice to input non-compulsory Personal Data into the Services.
b) Data subjects. Personal Data about the following categories of individuals is processed:
- Owner(s) of a business that subscribes to w3’s Services.
- Employees and other persons authorized by the Customer who have access to and use the Services (End-Users).
- Individuals whose Personal Data is processed using the Services, including a Customer’s customers and suppliers.
4. Purposes of the processing.
w3 is a provider of software as a service for point of sale solutions for the retail and hospitality industry as well as the provider of an online platform that can be used for eCommerce and related purposes. w3 shall process Personal Data on behalf of the Customer to provide these services to the Customer pursuant to the Service Agreement and any additional purposes as instructed by Customer when using the Services. When w3 acts as processor of the Personal Data, w3 may only process Personal Data on behalf of Customer and solely for the purposes identified in this DPA and the Service Agreement.
5. Responsibilities regarding data processing.
a) Controller. Customer is the controller of all the Personal Data that it collects through the Services. Customer shall ensure that it is entitled to process and transfer the Personal Data to w3 so that w3 may lawfully process the Personal Data on Customer’s behalf, as contemplated under this DPA.
b) Processor. w3 acts as a processor of the Personal Data collected by the Customer through the use of the Services.
c) Sub-processors. Customer acknowledges and hereby grants its express written authorization that (i) w3’s affiliates may act as w3’s sub-processors; and (ii) w3 may engage sub-processors as necessary to perform the Services. Customer acknowledges that sub-processors are essential to provide the Services. Customer acknowledges that if it objects to w3’s use of a sub-processor, w3 will not be obligated to provide Customer the Services for which w3 uses that sub-processor.
6. Data processing.
w3 shall ensure that any processing shall be fair, lawful, and consistent with w3’s obligations under this DPA and compliant with applicable data protection law. In particular,:
a) Controller instructions. w3 shall process Personal Data only on the documented instructions of Customer. If w3 is required to additionally process Personal Data in compliance with an applicable law or regulation to which w3 is subject, it will inform Customer of such legal requirement prior to such processing, unless prohibited from doing so by an applicable law or regulation;
b) Ensure appropriate protection. w3 shall ensure appropriate protection of Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where processing involves a transmission of Personal Data over a network, and against all other unlawful forms of processing;
c) Security safeguards. w3 shall comply with the security requirements set forth in Schedule 1, taking into consideration the state of the art, the costs of implementation and the nature, scope, context and purposes of processing;
d) Disclosure. w3 shall not disclose Personal Data to any third party or unauthorized persons, unless Customer has given its prior written consent to such disclosure and subject to the conditions laid down under section 6 of this DPA;
e) Confidentiality. w3 shall hold Personal Data in strict confidentiality and require that employees and any other person under its authority who will be provided access to or will otherwise process Personal Data are held to the same level of confidentiality in accordance with the requirements of the DPA (including during the term of their employment or engagement and thereafter);
f) Data subject requests. w3 shall take appropriate measures to assist the Customer, insofar as this is possible, in fulfilling Customer's obligations as a controller in responding to requests from individual data subjects to exercise their rights under any applicable data protection law or regulation. In addition, w3 shall promptly notify Customer if it receives a request from an individual with respect to Personal Data, including but not limited to information access requests, information rectification requests, requests for blocking, erasure, or portability of Personal Data and shall not respond to any such requests unless expressly authorized to do so by Customer or unless required under an applicable data protection law or a law of the European Union or a Member State to which w3 is subject; Additionally, w3 shall ensure that it has implemented technical and organizational measures to assist Customer in fulfilling its obligation to respond to any such requests from an individual with respect to Personal Data processed. w3 shall promptly and properly deal with enquiries and requests from Customer in relation to the processing of Personal Data under this DPA;
g) Assistance with Customer’s compliance. Taking into account the nature of the processing and the information available to w3, w3 shall assist the Customer in ensuring compliance with the obligations regarding security measures and conducting data protection impact assessments, where necessary pursuant to Articles 32-36 of the General Data Protection Regulation (GDPR). w3 shall assist and support Customer in the event of an investigation by a data protection authority or similar authority, if and to the extent that such investigation relates to the processing of Personal Data under this DPA. w3 shall promptly notify Customer if in w3’s view an instruction given by Customer infringes applicable laws and regulations, including data protection laws, or a change in the applicable laws and regulations is likely to have a substantially adverse effect on its ability to comply with its obligations under this DPA; w3 shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer. w3 may refuse to carry out an instruction that is obviously unlawful;
h) Disclosure requests. To the extent permitted by applicable law, w3 shall notify Customer of each request w3 receives from a public authority requiring w3 to disclose Personal Data processed in the context of the Service Agreement or to participate in an investigation involving that Personal Data. w3 will make reasonable efforts to narrow the scope of any such request received and will provide only the Personal Data specifically requested;
i) Data breach. w3 shall promptly (and in any event within forty-eight (48) hours) after becoming aware, notify Customer of any facts known to w3 concerning any actual accidental or unauthorized access, disclosure or use, or accidental or unauthorized loss, damage or destruction of Personal Data by any current or former employee, contractor or agent of w3 or by any other person or third party; w3 shall cooperate fully with Customer in the event of any accidental or unauthorized access, disclosure or use, or accidental or unauthorized loss, damage or destruction of Personal Data by any current or former employee, contractor or agent of w3 or by any other person or third party, in order to limit the unauthorized disclosure or use, seek the return of any Personal Data, and assist in providing notice to competent regulators and affected individuals if requested by Customer.
7. Onward processing.
w3 may only subcontract performance of part of the Services to third parties as subprocessors if w3 ensures that such sub-processors are bound to obligations that are not less onerous that those set out in this DPA
8. Retention and deletion.
w3 processes Personal Data for as long as it is reasonably needed to deliver the Services. The retention term can be longer if w3 is required to keep Personal Data longer on the basis of applicable law or to administer its business.
b) Upon request by Customer, w3 shall immediately cease to process Personal Data and shall promptly return all such Personal Data, or delete the same, in accordance with such instructions as may be given by Customer at that time, unless it is required to store the Personal Data under an applicable law or regulation to which w3 is subject or unless explicitly agreed otherwise with Customer. The obligations set out in this section shall remain in force notwithstanding termination or expiration of this DPA.
9. Audit and Compliance.
a) w3 will make available to the Customer all information necessary to demonstrate compliance with the obligations regarding the processing of Personal Data provided to w3 in its role as a data processor.
b) w3 shall make the processing systems, facilities and supporting documentation relevant to the processing of Personal Data available for an audit by Customer or a qualified independent assessor selected by Customer and provide all assistance Customer may reasonably require for the audit no more than one time per 12-month period. If the audit demonstrates that w3 has breached any obligation under the DPA, w3 shall immediately cure that breach.
c) In case of inspection or audits by a competent governmental authority relating to the processing of Personal Data, w3 shall make available its relevant processing systems, facilities and supporting documentation to the relevant competent public authority for an inspection or audit if this is necessary to comply with applicable laws. In the event of any inspection or audit, each party shall provide all reasonable assistance to the other party in responding to that inspection or audit. If a competent public authority deems the processing of Personal Data under this DPA unlawful, the parties shall take immediate action to ensure future compliance with applicable data protection law. Instead of on-site inspections and controls, w3 may refer the Customer to an equivalent control by independent third parties (such as neutral data protection auditors), compliance with approved rules of conduct (Art. 40 GDPR) or suitable data protection or IT security certifications pursuant to Art. 42 GDPR. This applies in particular if company and business secrets of w3 or Personal Data of third parties would be endangered by the controls.
d) Customer will reimburse w3 for any reasonable costs incurred by w3 invconnection with any audit or inspection by (or on behalf of) Customer or a competent governmental authority, except where such audit or inspection reveals that w3 has breached any of its obligations under the DPA.
e) Except where w3 is otherwise prohibited by law from making such disclosure, w3 shall promptly inform Customer if: (i) it receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the processing of Personal Data under this DPA, if it concerns the data of the Customer,; or (ii) it intends to disclose Personal Data to any competent public authority.
f) w3 shall ensure that any employee, agent, independent contractor, or any other person engaging in the provision of the Services and who has access to Personal Data of Customer, shall comply with all data protection and privacy laws and regulations (including any and all legislative and/or regulatory amendments or successors thereto), applicable to w3.
10. Data transfers (only for Customers established in the EEA, Switzerland or the UK)
a) Customer authorizes w3 to commission processing in a third country, including by sub-processors, if the specific requirements of articles 44-49 GDPR are met. Customer shall be deemed to have granted explicit consent for processing in a third country with regard to the processing operations by w3 and the Authorized Sub-processors as listed here.
b) w3 is a company based in United States. As such, most data transfers from Customers established in the European Economic Area (EEA), Switzerland or the United Kingdom (UK) to w3 are made pursuant to the European Commission’s adequacy decision for USA.
c) To the extent that the adequacy decision does not apply, w3 relies on the appropriate enclosed Standard Contractual Clauses (“SCCs”), attached hereto as Schedule 2 and Schedule 3, as an approved transfer mechanism for international transfers of Personal Data. In these SCCs, Customer is the data exporter and w3 is the data importer.
d) Signature of the Service Agreement shall be deemed to constitute signature and acceptance of the appropriate SCCs. If Customer would like to additionally execute a separate copy of the appropriate SCCs, Customer may complete the appropriate pre-signed version attached hereto as Schedule 2 or Schedule 3, countersign it, and return it to w3 by email at email@example.com, indicating, if applicable, the Customer’s legal entity and/or account number (mentioned on the applicable w3 invoice).
e) In the absence of the aforementioned appropriate safeguards, w3 may – to the extent permitted under and in accordance with applicable data protection laws (including GDPR) - rely on a derogation applicable to the specific situation at hand (e.g. the data subjects’ explicit consent, the necessity for the performance of an agreement, the necessity for the establishment, exercise or defense of legal claims).
11. Data inquiries.
Any Customer may, at any time, contact w3 at firstname.lastname@example.org with all questions and suggestions concerning data protection.
a) Amendments. Any amendments or supplements to this DPA must be made in writing. The same applies to any waiver of any right or obligation under this DPA. The order of precedence of individual contractual agreements shall remain unaffected thereby. w3 reserves the right to amend this DPA at any time with effect for the future. Amendments will only be made if the following objective reasons exist:
- if the amendment helps to bring the DPA in line with applicable law, in particular if the applicable legal situation changes;
- if the amendment enables w3 to comply with mandatory judicial or administrative decisions
- if the amendment reflects details of a new or updated w3 Service or of new or updated technical or organizational processes and the existing contractual relationship with Customer is not affected to Customer’s detriment;
- if the amendment is solely to Customer’s advantage.
b) Severability. If any provision of this Agreement is or becomes invalid or impracticable in whole or in part, the validity of the remaining provisions shall not be affected thereby.
c) Term. This DPA shall be effective for the entire Term (as defined in the Service Agreement) and this DPA terminates on the date on which the Service Agreement has expired or is terminated.
Schedule 1: Description of w3's Security Measures
w3 has taken appropriate and sufficient technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where processing involves a transmission of Personal Data over a network, and against all other unlawful forms of processing.
w3 has an established information security organization managed by the w3 security team and is led by the CEO. w3 Security established and maintains policies and procedures to delineate standards for logical access on the w3 production environments. The policies also identify functional responsibilities for the administration of logical access and security. w3 Information Security policies are reviewed and approved on an annual basis by Security Leadership and are used to support w3 in meeting the service commitments made to the Customer. The following description provides an overview of the technical and organizational security measures implemented. Such measures shall include, but are not limited to the following. For more detailed information on the latest state of art measures, please contact us directly.
w3 will process the Personal Data as a Data processor, only for the purpose of providing the Services in accordance with documented instructions from the Customer (provided that such instructions are commensurate with the functionalities of the Services), and as may be agreed to with Customer.
w3 implements and maintains appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.
w3 ensures that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Personal Data.
w3 employs the concepts of least privilege and need-to-know, allowing only the necessary access for users to accomplish their job function. User accounts are created to have minimal access. Access above these least privileges requires appropriate and separate authorization.
In-transit: w3 makes HTTPS encryption available on every one of its login interfaces and on every customer site hosted on the w3 products. w3's HTTPS implementation uses industry standard algorithms and certificates.
At-rest: w3 stores user passwords following industry standard practices for security.
w3 performs encryption at rest on other sensitive fields specifically identified by w3.
Preventing Unauthorized Product Access
Outsourced processing: w3 hosts its services on third party Hosting infrastructure in form of data centers and Infrastructure-as-a-Service (IaaS). Additionally, w3 maintains contractual relationships with vendors in order to provide the service in accordance with our DPA. w3 relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: w3 hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of our infrastructure providers are audited for SOC 2 Type II, ISO 27001 and PCI DSS compliance, among other certifications.
Authentication: w3 implemented a uniform password policy for its customer products. All users who need to interact with the products via any interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of w3's products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user's permissions against the attributes associated with each data set.
Preventing Unauthorized Product Use
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: w3 implemented a Web Application Firewall (WAF) solution to protect certain hosted customer websites and other internet-accessible applications specifically identified by w3. The WAF is designed to identify and prevent attacks against publicly available services.
Vulnerability scanning: w3 regularly scans its code, infrastructure and web services for known vulnerabilities and remediates them in a timely manner. w3 subscribes to news feeds for applicable vendor flaws and proactively monitors vendor's websites and other relevant outlets for new patches.
Limitations of Privilege & Authorization Requirements
Product access: A subset of w3's employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Employees may be granted access by role or upon submitting an approved request. Log-ins to data storage or processing systems are logged.
Database access: Customer data is accessible and manageable only by properly authorized staff. Direct database query access is restricted, and application access rights are established and enforced.
Incident Management Control
Detection: w3 designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. w3 personnel, including security, operations, and support personnel are responsive to known incidents.
Response and tracking: w3 maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident remediation. Suspected and confirmed security incidents are investigated by security, operations or support personnel, and appropriate resolution steps are identified and documented. For any confirmed incidents, w3 will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If w3 becomes aware of unlawful access to Customer data stored within its products, w3 will: Notify the affected Customers of the incident; Provide a description of the steps w3 is taking to resolve the incident; Provide status updates to the Customer contact, as it deems necessary or is legally required. Notification of incidents, if any, will be delivered to one or more of the Customer's contacts in a form w3 selects, which may include via email or telephone.