This Data Processing Agreement (“DPA”) is entered into between 4Seller Technology (America) Co., Ltd (“Company”, “us”, “our”, “we”) and the customer (“Customer”) for the purchase of online services (“Services”) from Company and reflect the parties agreement with regards to Processing of Personal Data.

Appendix 1 and Appendix 2 are both incorporated into, and form part of, this DPA. Appendix 1 sets out the agreed subject-matter, the nature and purpose of the processing, the type of Personal Data, categories of data subjects and Appendix 2 sets out the applicable technical and organizational measures. The technical and organizational measures apply to Company under this DPA and also to the Standard Contractual Clauses.

Definitions

The terms “Personal Data”, “Controller”, “Data Subject”, “Processor” and “Processing” shall have the meaning given to them in the Regulation 2016/679 of the European Parliament.

“End-User” means any individual consumer who purchases products or services from Customer on a third-party e-commerce platform.

“End-User Data” means any Personal Data relating to an End-User that Company processes on behalf of Customer via the Service.

“Data Protection Law” means the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data under the Agreement.

“Subprocessor” means our Affiliates and third parties engaged by our Affiliates in connection with our Service and which process Personal Data in accordance with this DPA.

Roles and Responsibilities

The parties acknowledge and agree that with regard to the processing of End-User Data, Customer is Data Controller and Company is Data Processor acting on behalf of Customer.

Company shall process End-User Data only in accordance with Customer’s instructions as set forth in this DPA, as necessary to comply with applicable law.

Customer represents and warrants that (i) it has all notices and policies required to inform End-User about the Processing and their rights provided by Data Protection laws; (ii) it has collected all consents and confirmations required for processing of End-User Data by Company pursuant to this DPA; and it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of End-User Data and any processing instructions it issues to Company.

Customer shall have sole responsibility for the accuracy, quality, and legality of End-User Data and the means by which Customer acquired End-User Data.

Company Obligations

Instructions from Customer

We will process Personal Data only in accordance with documented instructions from Customer. The Agreement (including this DPA) constitutes such documented initial instructions and each use of the Service then constitutes further instructions. We will use reasonable efforts to follow any other Customer instructions, as long as they are required by Data Protection Law, technically feasible and do not require changes to the Service. If any of the before-mentioned exceptions apply, or we otherwise cannot comply with an instruction or we are of the opinion that an instruction infringes Data Protection Law, we will immediately notify Customer (email permitted).

Processing on Legal Requirement

We may also process Personal Data where required to do so by applicable law. In such a case, Company shall inform Customer of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.

Personnel

To process Personal Data, we and our Sub-processors shall only grant access to authorized personnel who have committed themselves to confidentiality. We and our Sub-processors will regularly train personnel having access to Personal Data in applicable data security and data privacy measures.

Cooperation

At Customer’s request, Company will reasonably cooperate with Customer in dealing with requests from Data Subjects or regulatory authorities regarding our processing of Personal Data or any Personal Data breach.

If we receive a request from a Data Subject in relation to the Personal Data processing hereunder, we will promptly notify Customer (where the Data Subject has provided information to identify the Customer) via e-mail and shall not respond to such request itself but instead ask the Data Subject to redirect its request to Customer.

In the event of a dispute with a Data Subject as it relates to our processing of Personal Data under this DPA, the Parties shall keep each other informed and, where appropriate, reasonably co-operate with the aim of resolving the dispute amicably with the Data Subject.

Company shall provide functionality for production systems that supports Customer’s ability to correct, delete or anonymize Personal Data from Service, or restrict its processing in line with Data Protection Law. Where such functionality is not provided, we will correct, delete or anonymize any Personal Data, or restrict its processing, in accordance with the Customer’s instruction and Data Protection Law.

Personal Data Breach Notification

Company will notify Customer without undue delay after becoming aware of any Personal Data Breach and provide reasonable information in its possession to assist Customer to meet Customer’s obligations to report a Personal Data Breach as required under Data Protection Law. Company may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by Company.

Data Protection Impact Assessment

Company shall respond to all requests for information made by Customer to confirm our compliance with this DPA. This includes but is not limited to provision of information regarding security measures implemented, conducting of due diligence, and answering to audit questionnaires, provided that Customer shall not exercise this right more than once per calendar year.

Retention and Deletion of Data

End-User Data shall be processed and stored for as long as required for performance of the contract between Company and Customer until such a contract has been fully performed or terminated. Upon expiration of the contract, End-User Data shall be deleted, unless it should be retained according to applicable Data Protection Laws, or due to a request from an authorized authority, prosecution body or court.

Customer Audit

Customer or its independent third party auditor reasonably acceptable to Company (which shall not include any third party auditors who are either a competitor of Company or not suitably qualified or independent) may audit Company’s control environment and security practices relevant to Personal Data processed by Company only if:

• a Personal Data breach has occurred;
• an audit is formally requested by Customer’s data protection authority; or
• provided under mandatory Data Protection Law conferring Customer a direct audit right and provided that Customer shall only audit once in any 12 month period unless mandatory Data Protection Law requires more frequent audits.

Scope of Audit

Customer shall provide at least 60 days advance notice of any audit unless mandatory Data Protection Law or a competent data protection authority requires shorter notice. The frequency and scope of any audits shall be mutually agreed between the parties acting reasonably and in good faith. Customer audits shall be limited in time to a maximum of 3 business days. Beyond such restrictions, the parties will use current certifications or other audit reports to avoid or minimize repetitive audits. Customer shall provide the results of any audit to Company.

Cost of Audits

Customer shall bear the costs of any audit. If an audit determines that Company has breached its obligations under the DPA, Company will promptly remedy the breach at its own cost.

Subprocessors

Permitted Use

Company is granted a general authorization to subcontract the processing of Personal Data to Subprocessors, provided that:

• Company shall engage Subprocessors under a written (including in electronic form) contract consistent with the terms of this DPA in relation to the Subprocessor’s processing of Personal Data. Company shall be liable for any breaches by the Subprocessor in accordance with the terms of this Agreement;
• Company will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection to establish that it is capable of providing the level of protection of Personal Data required by this DPA; and
• A list of relevant Subprocessors in place on the effective date of the Agreement will be made available to Customer upon request, including the name, address and role of each Subprocessor used to provide Service.

New Subprocessors

Company’s use of Subprocessors is at its discretion, provided that Customer may object to such changes as set out in Section 6.3.

Objections to New Subprocessors

If Customer has a legitimate reason under Data Protection Law to object to the new Subprocessors’ processing of Personal Data, Customer may terminate the Agreement (limited to the Cloud Service for which the new Subprocessor is intended to be used) on written notice to Company.

Any termination under this Section 6.3 shall be deemed to be without fault by either party and shall be subject to the terms of the Agreement.

International Processing

Conditions for International Processing

Company shall be entitled to process Personal Data, including by using Subprocessors, in accordance with this DPA outside the country in which the Customer is located as permitted under Data Protection Law.

Standard Contractual Clauses

Where a Controller’s Personal Data Processing is undertaken outside of the European Union, and such processing requires a means of adequate data protection under the laws of the country of the Controller and that data protection requirement is, or can be, met by the parties entering into Standard Contractual Clauses, then:

• By Company’s and Customer’s entry into the Agreement, Company and Customer are hereby deemed to have entered into the Standard Contractual Clauses;
• Customer enters into the Standard Contractual Clauses on its own account, and on behalf of its End-User;
• With respect to any foreign Subprocessors engaged in Personal Data Subprocessing, Company shall, upon request by the Customer, arrange for the Customer to enter into the Standard Contractual Clauses with the relevant Subprocessors, or their authorised agent;
• In the event Company is reasonably satisfied that a right to enforce the Standard Contractual Clauses against the relevant Subprocessors is not available to the Customer, including any successful challenge by a Subprocessor under its applicable law to that right of enforcement, Company will ensure that the Standard Contractual Clauses are enforced against the Subprocessors for the benefit of the Customer.

Standard Contractual Clauses full text: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Documentation; Records of Processing

Each party is responsible for its compliance with its documentation requirements, in particular maintaining records of processing where required under Data Protection Law. Each party shall reasonably assist the other party in its documentation requirements, including providing the information the other party needs from it in a manner reasonably requested by the other party (such as using an electronic system), in order to enable the other party to comply with any obligations relating to maintaining records of processing.

Appendix 1 Details of Data Processing and Transfer

Data Exporter

The Data Exporter is the Customer who used Service. Where the Customer allows other Controllers to also use the Service, these other Controllers are also Data Exporters.

Data Importer

Company and its Subprocessors may support the Service remotely from the locations where Company and its Subprocessors employ personnel. Support includes:

• Backup & restoration of End-User Data stored in Service
• Provision of logistics services

Data Subjects

Unless provided otherwise by the Data Exporter, transferred Personal Data relates to the following categories of Data Subjects: End User or other individuals having Personal Data processed in Service.

Data Categories

The transferred Personal Data typically relates to the following categories of data: name, phone numbers, e-mail address, address data, tax ID number.

Special Data Categories (if appropriate)

The transferred Personal Data concerns the following special categories of data: As set out in the Agreement (including the Order Form) if any.

Processing Operations / Purposes

The transferred Personal Data is subject to the following basic processing activities:

• Backup & restoration of End-User Data stored in Service
• Provision of logistics services

Appendix 2 Technical and Organizational Measures

The following sections define Company’s current technical and organizational measures. Company may change these at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.

Physical Access Control

Unauthorized persons are prevented from gaining physical access to premises, buildings or rooms where data processing systems that process and/or use Personal Data are located.

Measures:

• Company protects its assets and facilities using the appropriate means based on the Company Security Policy
• In general, buildings are secured through access control systems (e.g., smart card access system).
• Depending on the security classification, buildings, individual areas and surrounding premises may be further protected by additional measures. These include specific access profiles, video surveillance, intruder alarm systems and biometric access control systems.
• Access rights are granted to authorized person on an individual basis according to the System and Data Access Control measures. This also applies to visitor access. Guests and visitors to Company buildings must register their names at reception and must be accompanied by authorized Company personnel.
• Company employees and external personnel must wear their ID cards at all Company locations.

System Access Control

Data processing systems used to provide the Service must be prevented from being used without authorization.

Measures:

• Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Authorizations are managed via defined processes according to the Company Security Policy.
• All personnel access Company’s systems with a unique identifier (user ID).
• Company has procedures in place to ensure that requested authorization changes are implemented only in accordance with the Company Security Policy (for example, no rights are granted without authorization). In case personnel leave the company, their access rights are revoked.
• The company network is protected from the public network by firewalls.
• Company uses up-to-date antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations.
• Security patch management is implemented to provide regular and periodic deployment of relevant security updates. Full remote access to Company’s corporate network and critical infrastructure is protected by strong authentication.

Data Access Control

Personnel entitled to use data processing systems gain access only to the Personal Data that they have a right to access, and Personal Data must not be read, copied, modified or removed without authorization in the course of processing, use and storage.

Measures:

• Access to Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfill their duty. Company uses authorization concepts that document grant processes and assigned roles per account (user ID). All End-User Data is protected in accordance with the Company Security Policy.
• Company does not allow the installation of software that has not been approved by Company.

Data Transmission Control

Except as necessary for the provision of the Services in accordance with the Agreement, Personal Data must not be read, copied, modified or removed without authorization during transfer. Where data carriers are physically transported, adequate measures are implemented at Company to provide the agreed-upon service levels (for example, encryption and lead-lined containers).

Measures:

• Personal Data in transfer over Company internal networks is protected according to Company Security Policy.
• When data is transferred between Company and its customers, the protection measures for the transferred Personal Data are mutually agreed upon and made part of the relevant agreement. This applies to both physical and network based data transfer. In any case, the Customer assumes responsibility for any data transfer once it is outside of Company-controlled systems.

Data Input Control

It will be possible to retrospectively examine and establish whether and by whom Personal Data have been entered, modified or removed from Company data processing systems.

Measures:

• Company only allows authorized personnel to access Personal Data as required in the course of their duty.
• Company has implemented a logging system for input, modification and deletion, or blocking of Personal Data by Company or its subprocessors within Service to the extent technically possible.

Job Control

End-User Data being processed on commission is processed solely in accordance with the Agreement and related instructions of the customer.

Measures:

• Company uses controls and processes to monitor compliance with contracts between Company and its customers, subprocessors or other service providers.
• All Company employees and contractual subprocessors or other service providers are contractually bound to respect the confidentiality of all sensitive information including trade secrets of Company customers and partners.

Availability Control

Personal Data will be protected against accidental or unauthorized destruction or loss.

Measures:

• Company employs regular backup processes to provide restoration of business-critical systems as and when necessary.
• Emergency processes and systems are regularly tested.

Data Separation Control

Personal Data collected for different purposes can be processed separately.

Measures:

• Company uses the technical capabilities of the deployed software to achieve data separation among Personal Data originating from multiple customers.
• Customer has access only to its own data.
• If Personal Data is required to handle a support incident from Customer, the data is assigned to that particular message and used only to process that message.

Data Integrity Control

Personal Data will remain intact, complete and current during processing activities.

Measures:

Company has implemented a multi-layered defense strategy as a protection against unauthorized modifications. In particular, Company uses the following to implement the control and measure sections described above.

• Firewalls;
• Security Monitoring Center;
• Antivirus software;
• Backup and recovery;
• External and internal penetration testing;
• Regular external audits to prove security measures.