By accessing and using rubix3’s products, websites,and services, including the Subscription Services, you agree to the terms contained within this Data Processing Addendum (“DPA”) and acknowledge that this DPA forms a part of the Master Subscription Agreement (“Agreement”). References in this DPA to the Agreement are to the Master Subscription Agreement, as amended from time to time. You, as the customer (“Customer”), and rubix3 as the service provider, may individually be referred to as a “Party” or collectively as the “Parties.” Unless otherwise defined herein, capitalized terms are defined in the same manner as used in the Agreement.
Data Processing Obligations
The Parties acknowledge and agree that for the purposes of the Data Protection Legislation, Customer is the Data Controller and rubix3 may be a Data Processor of the Customer Personal Data and a description of the Customer Personal Data and the Processing activities which may be undertaken by rubix3 is set out in paragraph 7.
rubix3 is here by appointed by Customer to process such Customer Personal Data on behalf of Customer in accordance with paragraphs 5 and 6 below.
Shared Customer Personal Data
Customer is the Data Controller of the shared Customer Personal Data to the extent that:
when it is Processed within its own technology environment; and/or
it is received from rubix3.
rubix3 is the Data Controller of the Customer Personal Data when it is received by the Storage Provider from Customer by and through the Non-rubix3 Platforms and Platform Connectors and Processed by rubix3 through the use of the Subscription Services pursuant to the Third-Party Tools.
That both Parties are Data Controllers in their own right(i.e. Data Controllers in common, and not Joint Controllers) in respect of the Processing of the Customer Personal Data on the basis that they each determine on their own (i.e. alone) the purposes and means of the Processing of such Customer Personal Data when it is Processed within their respective technology environments.
Each of the Parties shall Process the Customer Personal Data in accordance with paragraphs 4 and 5 below.
Each Party shall comply with its respective obligations under the Data Protection Legislation in respect of Customer Personal Data that it Processes pursuant to or in connection with the provision of the Subscription Services.
The Parties (acting reasonably and in good faith) shall review and (where necessary) agree on revisions to the provisions of this Schedule 3 to the extent necessary in order to comply with any changes to the Data Protection Legislation. It is agreed that each Party shall bear its own costs of any changes made in accordance with this paragraph 3.2,including the costs of complying with any additional or alternative obligations.
Lawfulness and purposes of processing
Each Party shall be responsible for ensuring that all Processing of Customer Personal Data carried out by that Party, or on its behalf by a Sub-processor, is fair and lawful, and for obtaining any consents or determining such other lawful basis for such Processing that may be required, under the Data Protection Legislation.
Information to be provided to data subjects
Where either Party initially collects the Personal Data from the Data Subject, the collecting Party shall provide, and shall be solely responsible for providing, the Data Subject(s) with all fair processing information relating to the Processing of their Personal Data that is required to be provided under the Data Protection Legislation provided that, to the extent Customer is the collecting Party, it shall be deemed to discharge its obligations under this paragraph 4.2.1 by linking to rubix3’s own fair processing notice within Customer's privacy notice.
rubix3 and Customer shall each be responsible for ensuring that their own fair processing information is accurate and complete and notifies the Data Subject(s) that their Personal Data may be transferred to and Processed by and on behalf of each of the Parties and their Processors, and where appropriate for obtaining any necessary consents as may be required from the Data Subject or determining such other legal basis for Processing, for the purposes envisaged by this Schedule 3.
If a Party receives a Data Subject Request relating to its own Processing of Customer Personal Data for which it is a Controller, it shall be responsible for responding to and dealing with that Data Subject Request and shall handle the Data Subject Request in accordance with the Data Protection Legislation. If a Data Subject Request received by a Party (Receiving Party)involves the Processing of Customer Personal Data by the other Party, the other Party shall, upon request from the Receiving Party, provide such information as is reasonably required in order for the Receiving Party to respond to and comply with the Data Subject Request in accordance with the Data Protection Legislation.
rubix3 shall without undue delay notify Customer upon becoming aware of:
an actual or suspected personal data breach relating to any Customer Personal Data;
a claim, complaint, or allegation relating to Customer Personal Data made against rubix3 and/or Customer or any of their Sub-processors by a Data Subject which may arise as a result of the actual or alleged breach of the Data Protection Legislation;
an investigation in connection with any Customer Personal Data by any supervisory authority or other regulatory body,
In respect of any Notifiable Event which rubix3 receives or is subject to, rubix3 shall, upon Customer’s request, keep Customer informed and up-to-date about the progress of the Notifiable Event, unless it is prohibited from doing so by law, and ensure that the Notifiable Event is responded to and otherwise dealt with in accordance with Data Protection Legislation.
Any notifications that rubix3 is required to provide to Customer in accordance with this paragraph 4.3 shall be sent to Customer using the email address associated with Customer’s account.
Suppliers Technical and Organizational Security Measures
rubix3 warrants that it,by and through the utilization of the Platform Connectors, Storage Provider,Third-Party Tools, and Non-rubix3 Platforms, possesses appropriate technical and organizational security measures to safeguard all Personal Data Processed pursuant to this Agreement against unauthorized or unlawful Processing and against accidental loss, disclosure or destruction of,or damage to, that Personal Data in such a way as to comply with Data Protection Legislation, and relies on the measures employed by said Platform Connectors, Storage Provider, Third-Party Tools, and Non-rubix3 Platforms and their appropriateness having regard to the nature of the Personal Data and the scope, context, and purposes of the Processing and the likelihood and severity of the risks to Data Subjects that are presented by the Processing of such Personal Data, in particular from accidental or unlawful destruction,loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed.
To the extent that rubix3 Processes Personal Data, rubix3 shall provide to Customer reasonable assistance to comply with the requirements of Article 32 of GDPR.
Suppliers Processing Obligations
To the extent that rubix3 processes any Customer Personal Data on behalf of Customer in connection with the Subscription Services, rubix3 shall:
only Process such Customer Personal Data in accordance with Customer’s written instructions, and shall, to the extent permitted by Applicable Law immediately notify Customer if it believes it has been provided with any instruction to Process Personal Data in breach of the Data Protection Legislation;
maintain a record of its Processing activities under the Agreement in accordance with and to the extent required Article 30(2) of the GDPR, and rubix3 shall, at any time upon request, and in any event upon termination or expiration of this Agreement, deliver up to Customer details of such Processing activities;
ensure that access to any such Customer Personal Data is restricted to those of its personnel who need to have access in order to perform the Subscription Services and who are subject to confidentiality obligations in respect of the Personal Data;
notify Customer if it receives any Data Subject Request relating to the Customer Personal Data,and shall: (a) not respond to the Data Subject Request without Customer’s prior written consent and in accordance with Customer’s instructions; and (b) shall provide such assistance as Customer may reasonably require in respect of such Personal Data in order for Customer to comply with and respond to the Data Subject Request in accordance with the Data Protection Legislation;
notify Customer promptly (and in any event within 24 hours) if it or its Sub-processors receives or is the subject of a Notifiable Event with regards to Customer Personal Data and shall provide all the details required by Customer in respect of the Notifiable Event, and shall, upon Customer’s request, take such action and provide such assistance as Customer may reasonably require in order for Customer to comply with its obligations with regard to the Notifiable Event, including notification to the information Commissioner's Office and Data Subjects, where applicable;
provide reasonable assistance to Customer in inputting into and carrying out data protection impact assessments and, to the extent required under the Data Protection Legislation, prior notification under Article 36 of GDPR; and
ensure that it as implemented appropriate organizational and technical measures in order to comply with its obligations under this paragraph 6.1.
Where rubix3 engages a Sub-processor to Process any of the Customer Personal Data on Customer’s behalf in connection with the Subscription Services, rubix3 shall:
Save for those Sub-processors identified in paragraph 7 of this Schedule 3 which shall be deemed approved, inform Customer prior to the appointment or removal of any such Sub-processor, thereby giving Customer an opportunity to object to the appointment or removal; and
ensure that such Sub-processor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on rubix3 under this Schedule 3; and
ensure that the Sub-processor’s Processing of such Customer Personal Data terminates upon termination of rubix3’s right to Process the data.
Provided that always rubix3 shall be liable for the acts and omissions of such Sub-processors in relation to the Processing of such Customer Personal Data.
Upon termination or expiration of this Agreement, rubix3 shall cease all Processing of any Customer Personal Data Processed on Customer’s behalf under this Agreement and shall, at Customer’s option, return or destroy and delete all such Customer Personal Data, unless otherwise stated in the Agreement.
In order to demonstrate rubix3’s compliance with the Data Protection Legislation and the terms of this Schedule 3, rubix3 shall:
provide Customer with such information as Customer reasonably requests from time to time to enable Customer to satisfy itself that rubix3 is complying with its obligations under this Schedule 3 and the Data Protection Legislation; and
allow Customer,its agents, representatives, regulators and external auditors access (on reasonable notice) to its premises where Personal Data is Processed under this Agreement to allow Customer to audit its compliance with this Schedule 3 and the Data Protection Legislation and shall provide reasonable co-operation as requested by Customer in the performance of such audit.
Description of Processing Activities
Categories of Customer Personal Data
Customer Personal Data that may be processed by rubix3.
Name, email addresses,phone numbers, device IDs, device fingerprints, payment information, card tokens, address details, order details, transaction success, locations, GPS locations, order status, promotional codes, markets, countries, postcodes,seller IDs, refund information, chargeback information, tags, labels, login information, creation and execution timestamps.
Categories of Data Subjects
Categories of Data Subjects whose Customer Personal Data will be processed by rubix3.
The end users/clients of the Customer website, app or other service provided by Customer and/or who place an order for products or services, engage within marketing activities, or any other activity related to Customers’ services.
All Processing activities to be conducted by Sub-processors with regards to the Customer Personal Data.
Customer Personal Data granted by the Customer and integrated using Platform Connectors through the authentication procedure are processed using Third-Party Tools and Non-rubix3 Platforms using the tasks of API ingestion, data transformation, and data loading.
Identity of Storage Providers
Details of all permitted Storage Providers used to store transferred Customer Personal Data.
rubix3 currently utilizes Amazon Web Services (AWS) ecosystem and its storage solution, Amazon Redshift, acloud-based data warehouse. All data collected from Non-rubix3 Platforms utilized by Customer and integrated using Platform Connectors is collected and managed in this environment.
Location of Processing Operations
All locations where the Customer Personal Data will be processed by rubix3..
Identity of Platform Connectors
Details of all permitted Platform Connectors used to transfer Customer Personal Data.
See Documentation for additional detail.
Identity of Third-Party Tool providers
Details of all permitted Third-Party Tool providers used to process Customer Personal Data.
See Documentation for additional detail.
Purposes for which the Customer Personal Data will be Processed by rubix3.
Deliver organizational solutions to customers, with an emphasis on data visualization and decision-making support to enhance operations and generate actionable insights across multiple data platforms.
Length of time for which data Processing activities will be carried out on the Customer Personal Data.
Until the termination or expiry of this Agreement,whichever the sooner.