This Data Processing Addendum ("DPA") forms part of the SOUS Merchant Terms of Service (“Terms”) and applies where SOUS processes Customer Data on behalf of the Merchant as a processor under applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Subject Matter and Duration
SOUS processes Customer Data only for the duration of the Terms agreement, and solely for the purpose of providing the services described in the SOUS Merchant Terms & Conditions
2. Nature and Purpose of Processing
Processing activities include collection, storage, access, transfer, and deletion of Customer Data as necessary to provide:
Commerce tools and transaction processing;
Customer relationship and order management;
Reporting, analytics, and communication features.
3. Types of Personal Data Processed
Contact information (e.g., names, email addresses);
Order and transaction details;
Location data (e.g., for delivery and/or service providers);
Any data submitted by customers through the SOUS Systems.
4. Data Subjects
End-customers of the Merchant;
Employees or agents of the Merchant, where relevant.
5. Obligations of SOUS (Processor)
Process data only on documented instructions from the Merchant;
Ensure persons authorised to process Customer Data are under confidentiality obligations;
Implement appropriate technical and organisational security measures;
Assist Merchant in responding to data subject requests;
Assist Merchant in ensuring compliance with Articles 32 to 36 of the GDPR;
At the end of the Terms agreement, delete or return all personal data at Merchant’s request;
Make available all information necessary to demonstrate compliance and allow for audits.
6. Sub-Processors
SOUS may engage sub-processors to provide parts of the services. A current list of sub-processors is available upon request. SOUS ensures that equivalent data protection obligations are imposed on all sub-processors.
7. International Data Transfers
If Customer Data is transferred outside the EEA, such transfers will be carried out in accordance with Chapter V of the GDPR, using Standard Contractual Clauses or other lawful mechanisms.
8. Security
SOUS maintains appropriate technical and organisational measures to protect Customer Data, including encryption, access controls, regular monitoring, and secure development practices.
9. Personal Data Breach
In the event of a breach affecting Customer Data, SOUS will notify the Merchant without undue delay and provide all relevant information to support compliance and remediation efforts.
10. Miscellaneous
Nothing in this Schedule 2 limits either party’s liability under applicable data protection laws. This DPA prevails over conflicting terms in the SOUS Merchant Terms of Service where data protection is concerned.
11. Ownership and Use of Customer Data
Nothing in this Schedule 2 limits either party’s liability under applicable data protection laws. This DPA prevails over conflicting terms in the SOUS Merchant Terms of Service where data protection is concerned.
5. Promotions
For Embedded Commerce, the Merchant retains ownership of all Customer Data generated via their own channels. Unless a customer opts into SOUS marketing communications, SOUS may only use such data in aggregated or anonymised form for platform benchmarking and performance analysis.
For Marketplace Transactions, SOUS is the data controller. SOUS owns this Customer Data but may make it available to the Merchant in anonymised format only for benchmarking purposes via the SOUS Portal.
SOUS may process all Customer Data solely to support system functionality, improve services, conduct diagnostics, and enhance platform capabilities. This processing is always subject to applicable data protection laws and will never involve direct marketing unless the customer has explicitly consented. either party’s liability under applicable data protection laws. This DPA prevails over conflicting terms in the main SOUS Merchant Terms & Conditions where data protection is concerned.