🗘
/ $ USD / English
1
The submitted Data Processing
Agreement ("DPA") is an agreement between you and the companies on
whose behalf you are acting (possibly referred to as "Customer" or
"you") on one side and CoolOrca Inc. and CoolOrca Ltd. on the other
side. This document is part of a written or electronic agreement between you
and CoolOrca Inc. and CoolOrca Ltd. Pursuant to its terms, CoolOrca Inc. and
CoolOrca Ltd. have the right to process your personal information
("Personal Customer Information"). An exception may be any other
agreement under which you and CoolOrca Inc. and CoolOrca Ltd. have agreed to
the rules of the information processing process with respect to the subject
matter hereof. Said DPA is an integral part of the entire set of Documentation
for the services provided as set forth in the Agreement.
Customer Personal Data Processing
1.1 Processor
designation. Both Parties agree that with respect to the Customer Personal Data
that CoolOrca Inc. and CoolOrca Ltd. administration processes for the purpose
of providing the Transaction Services, which may for example include the
processing described in detail in the Customer Personal Data Processing
Details, CoolOrca Inc. and CoolOrca Ltd. shall act as "Processor" under
the rules of the Applicable Personal Data Protection Law, whose provisions
shall apply to Customer requirements.
1.2 Approval to
Process. The processor will expose Customer Personal Data for the purpose of
providing a range of Transaction Services. In turn, Processor is obliged to
process Customer Personal Data strictly for the following reasons:
1.2.1 Under the rules and regulations of the
applicable Agreement, including, without limitation, all types of schedules,
price scales, attachments, for Transaction Services, and other types of data
processing, which are required to be conducted under the rules of law and the
spectrum of regulations;
1.2.2 Considering Customer's instructions and
at the moment of applying Transaction Services CoolOrca Inc. and CoolOrca Ltd.
shall transfer Customer Personal Data to banks (acquirers and issuers) and
payment processors that personally provide services on behalf of acquiring
banks, credit, and debit card printing companies, or direct providers of payer
authentication services applicable to Customer (including Verified by Visa,
MasterCard Identity ID Check);
1.2.3 To the extent permissible, allowing
CoolOrca Inc. and CoolOrca Ltd. to adhere to established guidelines, or
instructions suggested by Customer; and
1.2.4 Contribute to the development of security
solutions and fraud protection guarantees by CoolOrca Inc. and CoolOrca Ltd.
for the purpose of Client and/or other Coolorca.com project user applications.
Designated models allow offering Customer fresh scoring in the format of
Transaction Services.
2 In accordance with Law.
Each member
of the CoolOrca Inc. and CoolOrca Ltd. team, at the stage of providing services
to the Customer, as well as directly to the Customer during the use of the
services, is obliged to process the Customer's personal data according to the
rules of the Applicable Law on the protection of this data.
3 Customer commitments
3.1 The Client shall provide his End-User(s) with
all necessary Personal Information and privacy notices, several options to
choose from, and in return shall obtain the required consent in order for both
parties to comply with Applicable Data Protection Laws;
3.2 If so
required by Applicable Data Protection Laws, the Client shall notify the Processor
of the need to correct, update or delete part or all of the Client's Personal
Information;
3.3 Customer
shall ensure that at the time of sending any Personal Information to Processor,
Customer's Personal Information is accurate, relevant clearly consistent with
what is requested for processing reasons, within the scope of the Agreement and
this DPA; and
3.4 Customer
shall strictly adhere to (and in doing so ensure compliance by third party
auditors) Processor's appropriate security policies and the appropriate
confidentiality obligations listed in the Agreement.
4 CoolOrca Inc. and CoolOrca Ltd. commitments
4.1 Relevant
Data Protection Law. To the extent necessary to enable the Customer to adhere
to and comply with its core obligations set forth in the Applicable Data
Protection Laws, CoolOrca Inc., and CoolOrca Ltd. subsequently promises to
comply with all important provisions referred to in the GDPR Annex (the
exception may be situations where it operates under the regulations of Section
1.2 (Approval to Process) of this DPA) and/or the CCPA Annex each to the extent
necessary.
4.2 Data
Subject Rights. To the extent permitted by law, Processor will be able to
provide the Customer with an adequate amount of assistance in responding to
End-User(s) requests to exercise their rights under the rules of the Applicable
Data Protection Act in a manner appropriate to the particulars and
functionality of the Transaction Services. If CoolOrca Inc. and CoolOrca Ltd.
receive a request of this type, they will notify the Client, who, in turn, is
responsible for handling such requests by the End-User under the rules of the
Applicable Data Protection Act.
4.3 Engaging
with Sub-Processors. Processor shall make sure that at the time of engaging a
third party data processor, such as affiliates, hereinafter referred to as
Sub-Processor. In order to carry out a series of actions aimed at processing the
Client's name, a written contract shall be drawn up between the Processor and
the Sub-Processor. Such documents shall guarantee a similarly high degree of
protection of the Client's Personal Data as specified in this DPA.
4.3 Engaging
with Sub-Processors. Processor shall ensure that at the time it invites a
third-party data processor, such as an Affiliate or "Sub-Processor,"
to engage in certain activities to process the Customer's name, there is a
written contract between Processor and Sub-Processor. Such written evidence
provides a similarly high level of protection for Customer's Personal
Information as is offered in this DPA.
4.4 Staff. The
processor needs to ensure that individuals authorized to process Customer's
Personal Information maintain their confidentiality or act following a legal
obligation to maintain confidentiality rules.
4.5 Security
of Processing. Considering the state of the art, the associated financial
costs, the purposes of the processing, and the risks to the rights and freedoms
of individuals, Processor shall take all necessary measures to maintain
security and protect against risks. In assessing the level of security, the
Processor must also assess the risks inherent in the Processing (its illegal
types), accidental destruction or disclosure of stored or transmitted Personal
Information of the customer. The Processor's objective is to comprehensively
assist the Customer to enable the Customer to meet its personal obligations to
comply with these security measures.
4.6 Security Breach.
4.6.1 If a
Security Breach (defined precisely below) relating to Customer's Personal
Information is identified and included in Processor's systems, Processor shall
(i) conduct a thorough investigation of the circumstances, identify the causes
of the Security Breach and notify Customer of the results of the investigation.
Processor shall also notify Customer of the progress of the investigation
process up to the point of successful resolution; and (ii) cooperate with
Customer in the format of any legally significant notification by Customer of
the End Users involved. These obligations shall not apply to security breaches
occurring because of Customer or Customer's End Users.
4.6.2 Processor shall promptly and without
delay notify Customer when Processor or Sub-Processor becomes aware of an
actual security breach that could harm Customer's Personal Information. In
doing so, the Customer shall be provided with full information and adequate
assistance to help the Customer meet its obligations under the Applicable Data
Protection Law to (i) notify the Supervisor of the Security Breach; and (ii)
report the Security Breach commensurate with the Data Subjects.
4.6.3 Notification of the Client under the
norms of Section 4.6.2 of this Agreement is made by sending an e-mail or plain
text letter to the cell phone or e-mail that was used in the process of
Client's registration in the Coolorca.com Trading Interface.
4.6.4 The exception to this are situations in
which the law or regulations stipulate that the notifying party will not make
statements (or allow a third party to make statements) relating to safety
violations that directly or indirectly refer to the other party. Exceptions are
situations in which the other party is willing to provide personal
authorization in writing.
4.7 Deletion
and Retention. Due to the Client's request, Processor shall promptly delete or
return in full the Client's Personal Information at the end of the term of this
Agreement, deleting available copies if the retention procedure is not required
by law.
5 Miscellaneous. The rules and requirements
of the submitted DPA shall be used to the extent determined by Applicable Law
related to the defense of rights issues. Including, but not limited to, the
provisions of the Agreement (limitation of liability, no limitation,
performance and explanation, and indemnification) shall apply to this DPA. In
the event of conflicting situations between the provisions of the designated
DPA and the provisions of the applicable Agreement, the terms of the DPA shall
be deemed to apply strictly to the data processing conditions (if so required
by the Applicable Data Protection Act). In other situations, the terms of the
Agreement shall apply. Notwithstanding the terms and conditions of the DPA,
this DPA shall not apply to information or data not applicable to a person or
persons not aggregated and reviewed under the regulations of the Applicable
Data Protection Act or to the extent that Coolorca.com and you have fixed a
specific set of conditions for data processing directly related to the subject
of the agreement.
6
Definitions. Unless otherwise stated in the designated Agreement and the DPA,
all terminology has the definitions suggested in the Applicable Data Protection
Act.
“Applicable Data
Protection Law”
Represents
any regulation or legislation relating to the process of data protection,
privacy, and/or processing of Personal Information at a level consistent with
the parties' obligations under this Agreement and the DPA. Applicable data protection statutes in this
regard include (directly for illustration) - the General Data Protection
Regulation (Regulation (EU) 2016/679 (the "GDPR"), UK Data Protection
Laws, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et
seq. ("CCPA"), Swiss DP Laws, and other relevant laws and
regulations.
"EEA
Standard Contractual Clauses."
Standard
Contractual Clauses" means the standard contractual clauses as defined in
the European Implementing Decision (EU) 2021/914 on traditional contractual
requirements and terms for the transfer of personal data to third countries
under the Regulation (EU) 2016/679 with the amendments or complete substitution
that can be made by the strictly competent authority under the rules and
provisions of the Applicable Data Protection Act.
"End-User(s)"
The person
who orders goods or services from the Customer. His or her personal information
is submitted by the Customer to Cybersource in the process of applying Clint's
Transactional Services under the rules and requirements of this Agreement.
“Personal Information”
1.1 The term "Data Subject"
refers to all data or information, regardless of format and nature, that
identifies and may relate directly or indirectly to a particular consumer (the
so-called "Data Subject") or any other data that falls within the
category of "personal data" or in other words is protected by
Applicable Data Protection Law. For the avoidance of doubt and inaccuracies,
the Agreement already contains the entire scope of information that can and
must be applied to the end-user.
"Process"
or "Processed" or "Processing".
Means any
operation or operations implemented in conjunction with Personal Information
through automated and other tools (collection, access, recording, storage,
modification, disclosure, duplication, sending, deletion, etc.).
"Security
Breach."
Indicates the
detection of a security breach, resulting in the recording of accidental or
unlawful alteration, loss, destruction, or unauthorized access to Personal
Data. Security Breach means "breach of Personal Data security",
"system security breach", or any other term or event that could
expose the privacy and security of Personal Information to risks and threats.
“Swiss DP Laws”
- this is the
Federal Act on Data Protection of June 19, 1992, and any additional regulations
relevant to its implementation.
"Transfer".
Solutions for
the transfer and other processing of the Customer's Personal Information across
national borders in the circumstances limited by Applicable Data Protection
Laws.
"UK Data
Protection Laws."
Identifies
the GDPR transposed into UK national law by section 3 of the 2018 Act
confirming exit from the European Union and as adjusted by the Data Protection,
Privacy and Digital Communications (Exit from EU) Regulations 2019 ("UK
GDPR"), together with the Data Protection Act 2018, the Data Protection,
Privacy and Digital Communications (Exit from EU) Regulations 2019 and other
legislation on the protection and safekeeping of digital information approved
and in force from time to time at DPA submitted under several circumstances, to
a similar extent as applicable in the current UK GDPR, all references to the
GDPR and its additional provisions shall be construed as references to the UK
GDPR and similar provisions.
“UK Standard Contractual
Clauses”
Denotes
jointly: the classic contractual provisions in force between the controller and
the processor as detailed in Commission Decision C(2010)593 of 05.02. 2010,
which was approved under Directive 95/46/EC of the European Parliament and of
the Council ("UK C2P SCCs") and between controller and processor
(approved under Commission Joint Decision 2004/915/EC of 27.12.2004 on the
regulations of Directive 95/46/EC of the European Parliament and of the
Council, as amended from time to time by other provisions or fully amended)
("UK C2C SCCs").
SCHEDULE A
CALIFORNIA
CONSUMER PRIVACY ACT
The CCPA
Schedule provided herein may be applied as a supplemental tool to any terms
described in the underlying DPA text when the CCPA is relevant to your use of
the Transaction Services. All capitalized terms not identified herein are given
the meaning and meaning assigned to them in the DPA. In situations where there
is any conflict or misunderstanding between this CCPA Application and the DPA,
the CCPA Application shall prevail.
1 Coolorca.net
should not: (i) sell Customer Personal Information; or (ii) store, disclose or
use such information contrary to the requirements noted in the details in the
DPA. Exceptions may be situations where required or permitted by Applicable
Data Protection Law.
2 As
Coolorca.com provides or opens access to Personal Data, the Customer agrees to
declassify or share strictly those Personal Data requested by Coolorca.com in
order to fulfill its obligations under this Agreement (or Agreements).
3 At the
level required by Applicable Data Protection Laws, the designated CCPA Schedule
is a certification of the data processing limits noted herein.
SCHEDULE
B
GENERAL DATA
PROTECTION REGULATION
This GDPR
Schedule applies in addition to any terms set forth in the body of the DPA (and
is incorporated therein) when the GDPR applies to your use of Transaction
Services. Capitalized terms not defined herein have the meaning assigned to
them under the DPA. To the extent there are any conflicts between this GDPR
Schedule and the DPA, this GDPR Schedule shall prevail.
1
Processor Obligations
1.1 Handling of Customer Personal
Information. The Processor is obliged to process Customer Personal Data
strictly in accordance with the documented instructions of the Customer
(including instructions to send the Customer Personal Data to a third country,
if permitted) if this is one of the requirements of the Applicable Law on Data
Protection. At the same time, the Processor is obliged to inform the Client
about the relevant legal requirement in advance, before the start of the
processing, if such law prohibits this information according to relevant public
interest regulations.
1.2 Use of Sub-Processor
1.2.1 Under the terms of Section 1.2.1 of the
GDPR Schedule, Customer allows Processor to interact with Sub-Processors marked
in the Coolorca.com Trading Interface. The processor shall have the right to
control its list of Sub-processors by posting it online.
1.2.2 The
Processor shall notify the Client of any planned adjustments regarding the
change or change of other Subprocessors in order to give the Client a chance to
oppose such adjustments, if necessary. If the Client disagrees with adjustments
or the addition of a SubProcessor by the Processor, the Client must notify the
Processor of its disagreement in writing promptly. It is important to do so
within 10 business days of receiving information from the Processor about the
relevant adjustments.
1.2.3 The Processor may, at its sole
discretion, make various efforts and attempts to provide adjustments to the
Transaction Services to the Client or to propose commercially reasonable
adjustments to the rules of use of the Transaction Services by the Client to
prevent the processing of the Client's Personal Data by a new Sub-processor
with which the Client has not agreed. If the Processor fails to provide such
adjustments within a reasonable time frame (not exceeding 30 days), the Client
may terminate the concluded Agreement regarding those nuances of the
Transaction Services that cannot be provided by the Processor without involving
a new SubProcessor not approved by the Client, by sending a written notice to
the Processor. If the Transaction Services cannot be provided without engaging
a new Subprocessor. The client may simply terminate the entire Agreement.
1.2.4 The Processor agrees not to penalize the
Client for termination, guided by the provisions in section 1.2.3 of this GDPR
list.
2 Data Protection Impact Assessments and
Prior Consultation with Regulator
2.1 The Processor shall notify the Client
immediately if the Processor believes that the Client's instructions would
violate the Applicable Data Protection Laws in any way. The Client agrees that
the Processor should not act in order to directly create such an opinion.
2.2 The
Processor shall adequately support and assist the Client in the implementation
of legally permissible and permitted assessments of (a) impact on the data
protection process; and (b) consultations arranged by the Client with the
regulatory authority because of such assessments of the impact on the data
protection process. This support shall be limited to the processing of the
Client's personal information by the Processor on behalf of the Client in
accordance with the rules of the Agreement and taking into account the related
nuances of the processing of the information to which the Processor has access.
3 Showing Compliance with this DPA
3.1 Processor shall provide Customer with access
to the data necessary to show and prove compliance with all requirements under
this DPA and to allow audits, including verification events, to be arranged at
Customer's initiative or by another auditor ordered by Customer to prove compliance
with the regulations noted in this DPA.
3.2
Customer's right under Section 3.1 of this GDPR Schedule is applicable to the
following:
3.2.1 If the
Processor is able to demonstrate compliance with the assigned obligations outlined
in this DPA by complying with the recorded code of conduct if certified, or by
showing the Client an audit report performed by an independent third-party
auditor (subject to the conditions that the Client adheres to the agreed
confidential obligations noted in the Agreement and refuses to review the
proposed audit report), Client agrees that it does not plan to initiate an
audit or other verification activities under the rules of Section 3.1;
3.2.2 in consideration of the time, expense,
and likelihood of business disruption resulting from arranging audits and
inspections, including interviews and on-site visits, the Customer agrees to
arrange for such audits and inspections only if the Customer can demonstrate
that such audits and inspections are urgently needed beyond the data announced
by the Processor under Section 3.1. Such audits should be arranged at adequate
time intervals (recommended no more than once every 12 months) after giving at
least 60 days advance notice of the actual audit date and on a date jointly
agreed upon and approved by both Parties. The audit shall not disrupt
Processor's plans and activities; (ii) be organized at the Client's expense and
directly during business hours; (iii) will not disrupt the interests of other
Clients of the particular Processor; and (iv) will not last longer than two
business days (consecutively).
4 Cross-Border Transfers
4.1 The Processor shall strictly comply with the
Client's instructions (pre-documented) regarding the transfer of the Client's
Personal Data to a third country.
4.2 The
Processor undertakes to process or transfer the Client's Personal Data outside
("EEA" - Eurasian Economic Area), Switzerland, and the United Kingdom
by all available means strictly according to the rules approved by the
Applicable Data Protection Act.
4.3 Client
agrees and acknowledges that Processor sends and stores certain amounts of
Client's Personal Data in the United States (those data relating to people
geographically located in the United Kingdom and/or Switzerland).
4.3.1
Transfers Impacted by the GDPR or Swiss DP Laws: Module 2 (Transfer of
Controller to Processor) of the EEA Standard Contractual Provisions shall apply
to any procedure for transferring Customer Data from the EEA or Switzerland to
Coolorca.com and each of its affiliates operating in the United States or other
third countries ("Coolorca.com Affiliates"). Both Parties agree to
the fact that Module 2 (Transfer of Controller to Processor) of the EEA
Standard Contractual Provisions is incorporated by reference:
GDPR or Swiss
DP Laws: Module 2 (Transfer controller to the processor) of the EEA Standard
Contractual Cases shall apply to any procedure for sending Customer's personal
format data via the EEA or Switzerland to Coolorca.com and each of its
affiliates in the United States or other third countries (referred to as
"Coolorca.com Entities"). The parties agree that Module 2 (Transfer
controller to the processor) of the EEA Standard Contractual Provisions given
this document is incorporated by reference and:
4.3.1.1
Customer and all of its traditionally owned and affiliated persons who have
left their signature for Transaction Services ("Customer Entities")
shall be perceived and treated as "data exporters" and the
Coolorca.com Entities - as the "data importer";
4.3.1.2 Clause
7 - Docking clause shall be used;
4.3.1.3
Clause 9 - Apply of subprocessors Option 2 shall imply and the "time
span" shall be 10 business days;
Compensation
optional language shall not be utilized
4.3.1.4
Clause 11(a) - Compensation the optional language shall not be used;
4.3.1.5
Clause 13(a) - Supervision
(i) If the
exporter of the information has been approved in an EU Member State, the
following shall apply: "The supervisory authority responsible for
guaranteeing strict compliance by the exporter of the information with
Regulation (EU) 2016/679, as referred to in Annex I.C, shall act as the
competent and responsible supervisory authority".
(ii) If the
information exporter is not approved by a Member State but is included in the
territorial scope of Regulation (EU) 2016/679 under the rules of its Article
3(2) and has approved a representative under Article 27(1) GDPR, the following
statement is relevant: "The supervisory authority of the Member State in
which the representative is recognized under Article 27(1) of Regulation (EU)
2016/679, as noted earlier in Annex I.C, is considered to be a fully authorized
supervisory authority."
(iii) If the
exporter of the information is not recognized in a Member State but enters the
territorial scope of the GDPR under the rules of its Article 3(2) without the
need to identify a specific representative under the rules of Article 27(2)
GDPR, the following statement is relevant: "The supervisory authority of a
Member State where the subjects of the information whose personal data are sent
under the rules of these provisions on the grounds or services or products or
whose behavior and activity is controlled, as defined in Annex I.C, shall be
understood to be a supervisory authority.
4.3.1.6 The full responsible supervisory
authority is the authority responsible for guaranteeing the compliance of the
information exporter with the provisions of Regulation (EU) 2016/679 on the
transfer of information, as set out in Annex I.C.
4.3.1.7
Clause 17 - Regulatory Law Option 1 shall apply, with Ireland as the
"Member State";
4.3.1.8
Clause 18 - Choice of forum and jurisdiction Member State is Ireland; and
4.3.1.9 the information reflected in
Appendix 1 (Table 1) of the GDPR list provided is contained in Appendices 1, 2,
and 3 of the EEA Standard Contractual Supplements.
4.3.2
Transfers that are made under UK GDPR controls. The UK C2P SCCs apply to any
procedure for Transfers of Customer Personal Information from the UK to
Coolorca.com affiliates. All parties approve and agree that:
4.3.2.1 the
UK C2P SCCs are incorporated herein by reference;
4.3.2.2 Customer's institutions are deemed
to be "data exporters" and Coolorca.com's institutions are deemed to
be "data importers";
4.3.2.3 the
information reflected in Exhibit 1 (Table 2) of the submitted GDPR Checklist is
reflected in Annex 1 and 2 of the UK C2P SCCs; and
4.3.2.4 in
the event that the UK Government or the Information Commissioner approves the
EEA Standard Contractual Addenda for UK GDPR purposes, the EEA Standard
Contractual Addenda will apply following the regulations set out in Section
4.3.1 (Transfers procedures, falling under the control of the GDPR or the Swiss
DP Code) above (but will be perceived as those involving any amendments and
adjustments required under the UK GDPR rules or recommended by the Data
Commissioner, and the full supervisory authority will be the UK Data
Commissioner's Office and England and Wales will be accepted as the governing
law).
4.3.3 In the event of any misunderstanding,
conflict, or inconsistency between a term as defined in this DPA, the Agreement
and a term in Module 2 (Transfer of Controller to Processor) of the EEA
Standard Contractual Clauses (or, as the case may be, the UK C2P SCCs) which
are also contained in this DPA, the term in Module 2 (Transfer of Controller to
Processor) of the EEA Standard Contractual Clauses (or, as the case may be, the
UK C2P SCCs) shall prevail and be deemed to be more important.
EXHIBIT 1
INFORMATION REQUIRED FOR THE EEA and UK STANDARD CONTRACTUAL CLAUSES
Table 1:
Information to be incorporated into the EEA Standard Contractual Clauses |
|
ANNEX I A.
LIST OF PARTIES |
|
Data EXPORTER
identity and contact details |
|
Name |
Customer Entities |
Address |
To be provided
on request |
Contact
person’s name, position and contact details: |
To be provided
on request |
Activities relevant
to the data transferred under these Clauses: |
As set out in
the table in Exhibit 2 under "Nature and Purpose of the Processing". |
Role (controller/processor): |
Controller |
Data IMPORTER
identity and contact details |
|
Name |
Coolorca.com Entities |
Address |
900 Metro
Center Boulevard Foster City,
CA 94404 U.S.A. |
Contact
person’s name, position and contact details: |
privacy@visa.com |
Activities
relevant to the data transferred under these Clauses: |
As set out in
the table in Exhibit 2 under "Nature and Purpose of the Processing". |
Role (controller/processor): |
Processor |
ANNEX I B.
Description of Transfer |
|
Categories of
data subjects whose personal data is transferred |
As set out in
the table in Exhibit 2 under "Categories of Data Subjects". |
Categories of
personal data transferred |
As set out in
the table in Exhibit 2 under "Types of Personal Information". |
Sensitive data
transferred (if applicable) and applied restrictions or safeguards that fully
take into consideration the nature of the data and the risks involved, such
as for instance strict purpose limitation, access restrictions (including
access only for staff having followed specialised training), keeping a record
of access to the data, restrictions for onward transfers or additional
security measures. |
Not Applicable |
The frequency
of the transfer (e.g. whether the data is transferred on a one-off or continuous
basis). |
Continuous |
Nature of the processing |
As set out in
the table in Exhibit 2 under "Nature and Purpose of the Processing". |
Purpose(s) of
the data transfer and further processing |
As set out in
the table in Exhibit 2 under "Nature and Purpose of the Processing". |
The period for
which the personal data will be retained, or, if that is not possible, the
criteria used to determine that period |
Personal data
will be retained in accordance with Coolorca.com’s retention policies, for
only as long as is required to meet Coolorca.com’s legal, regulatory and
operational requirements and as necessary to perform services. |
For transfers
to (sub-) processors, also specify subject matter, nature and duration of the
processing |
As set out in
the table in Exhibit 2 under "Nature and Purpose of the Processing". |
Annex I C.
Competent Supervisory Authority |
|
Competent supervisory authority/ies |
To be provided
by the data exporter on request. |
ANNEX II
Technical and Organisational Measures Including Technical and Organisational
Measures to Ensure the Security of the Data |
|
Description of
the technical and organisational measures implemented by the data importer(s)
(including any relevant certifications) to ensure an appropriate level of
security, taking into account the nature, scope, context and purpose of the
processing, and the risks for the rights and freedoms of natural persons. |
As set out in
Table 2 of this Exhibit 1 under “Description of the technical and
organisational security measures implemented by the data importer”. |
For transfers
to (sub-) processors, also describe the specific technical and organisational
measures to be taken by the (sub-) processor to be able to provide assistance
to the controller and, for transfers from a processor to a sub-processor, to
the data exporter |
In respect of
Transaction Services: initiatives, products, processes and supporting
technology are assessed from a data privacy perspective, allowing Coolorca.com
to embed privacy controls to mitigate risks at early stages (privacy by
design). Coolorca.com has a robust privacy risk assessment framework
(including privacy impact assessments), embedding this process in our change
vehicles across the business, to ensure that both new and changed personal
data processing activities are reviewed. Where Customer requires specific
assistance, Customer may submit such requests for assistance to the Coolorca.com
Merchant Interface. |
ANNEX III List
of Sub-Processors The controller
has authorised the use of the following sub-processors: |
|
As listed in
the Coolorca.com Merchant Interface |
Table 2:
Information to be incorporated in the UK C2P SCCs |
|
Information to
be incorporated into Appendix 1 of the UK C2P Standard Contractual Clauses |
|
Category of
Information Required by Appendix 1 of the C2P Standard Contractual Clauses |
Information
Agreed by the Parties |
Data Exporter |
Customer Entities |
Data Importer |
Coolorca.com Entities |
Data Subjects |
As set out in
the table in Exhibit 2 under "Categories of Data Subjects". |
Categories of Data |
As set out in
the table in Exhibit 2 under "Types of Personal Information". |
Special Categories of Data |
Not Applicable |
Processing Operations |
As set out in
the table in Exhibit 2 under "Nature and Purpose of the
Processing". |
Information to
be incorporated into Appendix 2 of the UK C2P Standard Contractual Clauses |
|
Category of
Information Required by Appendix 2 of the C2P Standard Contractual Clauses |
Information
Agreed by the Parties |
Description of
the technical and organisational security measures implemented by the data
importer in accordance with Clauses 4(d) and 5(c) (or document/legislation
attached) |
Coolorca.com is
certified as compliant with all standards established by the Payment Card
Industry Data Security Standards (together with any successor organization
thereto, “PCI DSS”) that are applicable to Coolorca.com and its
affiliates (such standards, the “PCI Standards”). As evidence of
compliance, Customer may access Coolorca.com’s current Attestation of
Compliance signed by a Payment Card Industry Qualified Security Assessor
through Visa Online. Coolorca.com
maintains and enforces commercially reasonable information security and
physical security policies, procedures and standards, that are designed (i)
to insure the security and confidentiality of Customer’s records and
information, (ii) to protect against any anticipated threats or hazards to
the security or integrity of such records, and (iii) to protect against
unauthorized access to or use of such records or information which could
result in substantial harm (the “Visa Information Security
Program”). At a minimum, the Visa Information Security Program is
designed to meet the standards set forth in ISO 27002 published by the International
Organization for Standardization, as well as any revisions, versions or other
standards or objectives that supersede or replace the foregoing. Coolorca.com
engages its independent certified public accountants to conduct a review of Coolorca.com’s
operations and procedures at Coolorca.com’s cost. The accountants conduct the
review in accordance with the American Institute of Certified Public Accounts
Statement on Standards for Attestation Engagements No. 18 SOC I Type II (“SSAE
18”) and record their findings and recommendations in
a report to Coolorca.com. Upon request, and
subject to standard confidentiality obligations, Coolorca.com will provide
its most recent SSAE 18 and, in Coolorca.com’s reasonable discretion,
additional information reasonably requested to address questions or concerns
regarding the SSAE 18’s findings. |
EXHIBIT 2
DETAILS OF PROCESSING CUSTOMER PERSONAL INFORMATION
Service |
Nature and
purpose of the processing |
Types of personal information |
Categories
of data subjects to whom the personal information relates to |
Advanced Fraud
Detection Suite (AFDS) and Fraud Detection Suite (FDS) |
AFDS & FDS
provide the Customer with risk management and fraud screening services. Personal
Information is used to mitigate fraud on the Customer and Consumers behalf
based on the instructions of the Customer or Coolorca.com. |
Cardholder and
banking information, including, without limitation, card numbers, bank
account numbers, name, address, phone number, e- mail address, and IP address
may be used. Further detail
is included in the applicable Services Documentation. |
End-Users as
defined under the Agreement (including credit card holders, bank transfer
users, direct debit users, all end users whose cardholder or bank account
data is submitted to Processor for processing). |
Recurring Billing |
Recurring
Billing provides a service that captures recurring payments with cards on
file. |
If the
Customer opts to use Recurring Billing, we may use Cardholder and banking
information, including, without limitation, card numbers, bank account
numbers, name, address, phone number, e- mail address. |
|
Further detail
is included in the applicable Services Documentation, |
|||
Account Updater |
Account Updater
is a service that automatically updates account numbers and expiration dates
for cards on file in Recurring Billing subscriptions & Customer
Information Manager (CIM) profiles. |
If the
Customer opts to Account Updater, we may use Cardholder and banking
information, including, without limitation, card numbers, bank account
numbers, name, address. |
Further detail
is included in the applicable Services Documentation. |
|||
Invoicing |
Invoicing is a
service that emails a digital invoice to a customer and can accept digital
payments for goods and services. |
If the
Customer opts to use Invoicing, we may use Cardholder and banking
information, including, without limitation, card numbers, email, name,
address. |
|
Further detail
is included in the applicable Services Documentation. |
|||
Payment Gateway |
Gateway
services for bank transfers, direct debits, credit/debit card authorisation,
settlement, authentication and credit, including processing, provision of
customer support. |
Cardholder and
banking information, including, without limitation, card numbers, bank
account numbers, name, address, phone number, e- mail address. |
|
Further detail
is included in the applicable Services Documentation. |
2020 - 2024 ©
Coolorca.com, Inc. | Coolorca LTD or its affiliates: LLC FoxNetStore | Privacy Policy | GDPR & DPA