Data Processing Agreement for United States

1. Information about the parties

The Data Exporter

The Data Importer

Name:

Merchant

LLC “Growave”

Role in the processing:

Controller

Processor

This Data Processing Agreement (“Agreement”) is the part of Growave’s Terms of Service entering into force by their acceptance by and between the Merchant and LCC “Growave”. Both parties shall be referred to as the “Parties” and each, a “Party”.

2. Reason for data transfer

‍LLC “Growave” provides the Merchant with the Shopify app “Growave”, available following the link https://apps.shopify.com/growave (“App”) under the App’s Terms of Service (“Terms of Service"). For LCC “Growave” to be able to provide the Merchant with the functionality of the App, the Merchant shall transfer to the LCC “Growave” personal data in the amount necessary for the performance of the Terms of Service.

‍3. Docking clause

‍An entity that is not a party to the Agreement may, with the agreement of the Parties, accede to the Agreement at any time, by signing the Docking Addendum.

‍4. Transfer of personal data

‍Following the purposes of the Agreement, transfers of personal data shall include, but is not limited to, the following:

transferring of the data between the Parties or by the Party with a third party under the “Transfer of personal data” and “Details of transfers” sections of the Agreement (“Transferred Personal Data”);
publication of the Transferred Personal Data;
storing of the Transferred Personal Data on servers;
subcontracting the processing of the Transferred Personal Data to the data processors;
granting third parties access rights to the Transferred Personal Data.

5. Transfer standards

‍Parties shall execute the following standards of transfer:

each Party shall ensure compliance with applicable data protection legislation at all times, including the principles and standards set out in the “Principles and standards” section;
the Transferred Personal Data may be processed and subsequently used or further communicated only for purposes described in the “Details of transfer” section or subsequently authorised by the data subject;
the Transferred Personal Data shall be accurate and, where necessary, kept up to date. The Transferred Personal Data shall be adequate, relevant, and not excessive with the purposes for which it is transferred and further processed;
the Parties shall provide information necessary to ensure fair processing (such as information about the purposes of processing and the transfer);
according to state and federal laws, the controller must respond to a subject's request from the data subjects within one month;
the Parties shall take additional measures (e.g., security or technical) necessary to protect such sensitive data following its obligations under the Security clause;
where Transferred Personal Data is processed for direct marketing purposes, effective procedures should exist, allowing the data subject at any time to “opt out” from having its data used for such purposes;
the Parties shall not make any automated decisions concerning data subjects, except when:
such decisions are made by a Party when entering into or performing a contract with a data subject; and
the data subject is allowed to discuss the results of a relevant automated decision with a representative of the Parties making such a decision or otherwise to make representations to that Parties.

6. Data subjects

‍LCC “Growave” in course of the use of the App by the Merchant may process personal data of:

owners of the store at Shopify or the representatives, who use the App (“Store Owners”);
customers of the store at Shopify, represented by the Store Owners (“Customers”).

7. Personal data

‍The LLC “Growave” in course of the use of the App by the Merchant may process the following personal data:

date and time of the installation, store name, store location, email, phone number, full name, the content of messages, listing product, product tags, discount codes and promotion, gift card data, Shopify plans, price rules, marketing events, theme, script tags in online store (“Store Owners’ Data”);
cookies, full name, email, phone number, geolocation, address, browser and operating system, IP address, content of Customers reviews, order details (“Customers’ Data”).

The processing role of LCC "Growave" in relation to Store Owners' data is the controller. The processing role of LCC "Growave" in relation to Customers' data is the processor.

‍8. Personal data storage term

‍The LCC “Growave” shall store the personal data received by the Merchant during terms indicated in the Growave App Privacy Notice available following the link https://www.growave.io/legal/privacy-app.

‍9. Details of transfer

Data subject

Personal data transferred

Purpose of the processing

Storage term

Store Owners.

Store Owners’ Data.

Provide services under the Terms of Service

During terms indicated in the Growave App Privacy Notice available following the link https://www.growave.io/legal/privacy-app.

Customers.

Customers’ Data.

Provide services under the Terms of Service.

During terms indicated in the Growave App Privacy Notice available following the link https://www.growave.io/legal/privacy-app.

10. Sensitive data

‍Sensitive data will not be transferred.

‍11. Limitation of the processingT

he Transferred Personal Data shall only be processed as far as necessary according to the purposes and to fulfil the obligations as set out in the Terms of Service.

The Parties guarantee that the processing of the Transferred Personal Data will be made based on a legal basis, acceptable by both Parties.

‍12. Data retention limitation

‍The Parties shall not retain or process Transferred Personal Data longer than is necessary to carry out the purposes and obligations as set out in the Terms of Service.

‍13. The frequency of the transfer

‍Transferred Personal Data will be transferred on a continuous basis.

‍14. Nature of the processing

‍Merchant transfers the Customers' data to LLC "Growave" through Shopify functionality.The LCC “Growave” collects the Store Owners’ Data and Customers’ Data to provide services to the Merchant.

‍15. Transfer to subprocessors

‍Each Party can appoint processors independently, providing the necessary safeguards for processing personal data. Merchant acknowledges and agrees that LLC “Growave” uses the following subprocessor for storing the Transferred Personal Data: Amazon Web Services.LCC “Growave” engages third-party subprocessors only on condition their acceding to the Agreement via the Docking clause.

‍16. Transfer to third parties

‍Each Party can transfer the Transferred Personal Data to the third parties independently, providing the necessary safeguards for processing Transferred Personal Data.

‍17. Recipients

‍Personal data transferred may only be disclosed to the following recipients or categories of recipients and only if appropriate safeguards are in place:

advisers, consultants, and other professional experts;
partners;
team members;
third parties.

The Parties will notify each other with undue delay if they become aware of inaccuracies in Transferred Personal Data.

‍18. No sale of personal data under The California Consumer Privacy Act

‍Parties shall not have, derive, or exercise any rights or benefits regarding processed Transferred Personal Data, and may use and disclose Transferred Personal Data solely for the purposes for which such Transferred Personal Data was provided to it, as stipulated in the Agreement.

Parties certify that they understand the rules, requirements and definitions of The California Consumer Privacy Act (“CCPA”) and agree to refrain from selling any Transferred Personal Data, nor taking any action that would cause any transfer of Transferred Personal Data to qualify as “selling” such Transferred Personal Data under the CCPA.

‍19. Competent supervisory authority
Competent supervisory authority is the authority whose jurisdiction extends to the Merchant’s registered address.

‍20. Data protection measures

‍Taking into account the scope, purpose, and risks of the processing, to protect personal data the Growave implement the following measures:

‍Technical measures

two-factor authentication;
using firewalls;
encryption technologies;
backup data using software and hardware.

Organisational measures

staff trainings on data protection;
internal policies and instructions;
non-disclosure agreements (NDA);
compliance with requirements of the CCPA, Nevada Privacy Law and other applicable US federal privacy laws;
transfer protection.

Physical measures

video monitoring;
signalling;
limited access to premises (biometric identification);
round the clock security (security agency).

21. Data incident management and notification

‍The Parties will notify each other as soon as possible of any potential or actual loss of Transferred Personal Data or any breach of the technical or organisational measures taken.

The Parties shall notify within 24 hours after identifying any potential or actual loss or breach.

The Parties shall make reasonable efforts to identify and take those steps as deem necessary and reasonable in order to remediate or mitigate the cause of such data loss or breach incident.

The Parties will provide each other with reasonable assistance as required to facilitate the handling of any data security breach.

‍22. Signing of the Agreement

The Data Exporter

The Data Importer

Signed for and on behalf of the Data Exporter set out above by agreeing to Terms of Service

Signed for and on behalf of the Data Importer set out above

‍Signed:

Date of signature: December 27, 2022

‍Full name: Galiyev Eldar Amanbekovich

‍Job title: General Director