top of page
Data Processing Agreement
1. Scope, Priority, and Duration
1.1 This Data Processing Agreement (DPA) serves as an addendum to the Customer Terms of Service ("Agreement") between North Commerce and Distribution SRO ("apire.io") and the Customer. Both apire.io and the Customer are referred to individually as a "party" and together as the "parties."
1.2 This DPA applies when and only when apire.io processes Personal Data on behalf of the Customer and that data is governed by applicable Data Protection Laws, including those from California, the European Union, the EEA, Switzerland, or the UK. The parties agree to abide by the terms outlined in this DPA for such data.
1.3 The period of Processing covered by this DPA is in line with the duration of the Agreement.
2. Terminology
2.1 Terms used in this DPA will have the meanings specified below, with undefined terms being as defined in the Agreement.
2.2 CCPA-specific terms such as "Business," "Sell," "Service Provider," and "Third Party" follow the definitions in the CCPA.
2.3 "Controller" refers to the entity that decides how and why Personal Data is processed. This term also applies to similar roles defined in other Data Protection Laws.
2.4 "Data Protection Law" includes all relevant data protection regulations applicable to Personal Data under the Agreement, such as GDPR and CCPA.
2.5 A "Data Subject" is any natural person who can be identified.
2.6 "De-identified Data" refers to data that has been stripped of Personal Data. Aggregated data is considered de-identified.
2.7 "EEA" refers to the European Economic Area.
2.8 "Standard Contractual Clauses" are the EU's clauses for transferring Personal Data internationally, as defined in the 2021 decision.
2.9 "Personal Data" means any information that can identify an individual. This includes identifiers like names, ID numbers, and similar.
2.10 A "Personal Data Breach" is any incident leading to the unauthorized access, destruction, or alteration of Personal Data.
2.11 "Process" or "Processing" refers to any operation performed on Personal Data, such as collection, storage, or erasure.
2.12 A "Processor" is the entity that processes Personal Data on behalf of a Controller.
2.13 "Sensitive Data" includes highly sensitive information like health records, biometric data, or financial details.
2.14 A "Subprocessor" is a third party engaged by a Processor to assist in Processing Personal Data.
3. Personal Data Processing and Party Statuses
3.1 Schedules 1-3 outline the purpose of Processing, types of Personal Data involved, and affected Data Subjects.
3.2 The parties' roles under relevant Data Protection Laws are detailed in Schedules 1-3.
4. Cross-Border Data Transfers
4.1 When apire.io handles Personal Data from the EEA, Switzerland, or the UK, the Standard Contractual Clauses are automatically included as part of this DPA. Schedules 1-3 provide the necessary details.
5. Data Protection Compliance
5.1 Both parties will fullfill their legal obligations under relevant Data Protection Laws and ensure their privacy policies are adhered to.
5.2 The Customer confirms that they have the legal basis to collect Personal Data.
5.3 Cooperation will include:
-
5.3.1 Assisting each other in addressing Data Subject rights requests.
-
5.3.2 Notifying apire.io of any regulatory authority complaints.
-
5.3.3 Sharing information to meet legal requirements such as data protection assessments.
5.4 Both parties ensure their employees or contractors are trained on data privacy and confidentiality.
5.5 De-identified Data can be created and used by both parties for any purpose.
6. Data Security
6.1 Each party will implement a security policy with measures appropriate to the risk associated with the Personal Data. apire.io’s security practices are detailed in Schedules 2.3 and 3.4.
7. apire.io’s Responsibilities as a Processor
7.1 This section applies when apire.io acts as the Customer’s Processor.
7.2 apire.io will only process Personal Data to provide services and comply with the law.
7.3 apire.io will inform the Customer of any Data Subject requests it receives and assist in responding to them.
7.4 apire.io is permitted to use Subprocessors as outlined in Schedule 3.
7.5 apire.io will notify the Customer promptly of any data breaches involving Personal Data.
7.6 Personal Data will be deleted upon service termination unless retention is required by law.
7.7 Upon request, apire.io will provide documentation related to its security practices for Customer review.
bottom of page