APPENDIX 1 - DATA PROCESSING AGREEMENT

1. INTRODUCTION

   1. This data processing agreement (the "Data Processing Agreement") forms part of the GelatoConnect agreement (the "Agreement") between Gelato and you. 

   2. Gelato acts as a processor on your behalf, when you use the Services

      1. For the GelatoConnect Workflow module:  to handle Orders, as stipulated in the Agreement (the "Services"). 

      2. For the GelatoConnect Logistics Module : to handle the shipment of parcels and  provide all ancillary services

      3. For the GelatoConnect Procurement Module : to facilitate the Transactions on the Platform, enable the Suppliers to receive appropriate data and allow Gelato to provide ancillary services

      4. The Data Processing Agreement does not govern (i) personal data processed by Gelato as controller, or (ii) processing of personal data not subject to the GDPR.

   3. In the event of inconsistency between the Agreement and the Data Processing Agreement on matters specifically concerning data protection, the latter shall prevail.

2. DEFINITIONS

   1. "Applicable Data Protection Law" means applicable data protection and privacy law of the country in which you and Gelato are incorporated, including the GDPR.

   2. "GDPR" means the EU General Data Protection Regulation 2016/679.

   3. "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries, laid down by the EU Commission decision of 4 June 2021 and/or laid down by a relevant supervisory authority.

   4. Other terms shall have the meaning as defined in the Agreement or in Applicable Data Protection Law.

3. SCOPE

   1. You instruct Gelato to process personal data on your behalf as follows:

      1. Nature/purpose: Processing of personal data uploaded by you to GelatoConnect, 

      2. For GelatoConnect Workflow : to handle Orders and Print Jobs.

      3. For GelatoConnect Logistics : to handle Orders and enable Logistics Providers to deliver shipments to your customers.

      4. For GelatoConnect Procurement : to facilitate Transactions

      5. Data subjects: 

      6. Persons mentioned, depicted or otherwise identifiable from the data uploaded by you. 

      7. Categories of personal data: Names, positions, phone numbers, email addresses, addresses, images and other information relating to the data subjects. You will generally not upload special categories of personal data (sensitive data).

   2. For the avoidance of doubt, Gelato processes personal data, including name, email addresses, usernames, and passwords, concerning your personnel as controller. Such processing is not governed by this Data Processing Agreement; however, Gelato shall process such personal data in accordance with Applicable Data Protection Law.

4. GENERAL OBLIGATIONS

   1. You shall comply with your obligations under Applicable Data Protection Law, including by ensuring lawfulness of the processing (such as by collecting consents if required) and by giving data subjects information about the processing (such as by means of a privacy notice).

   2. Gelato shall process the personal data strictly for the purpose and within the scope of Clause 3 and shall not process the personal data for its own purposes. However, this obligation does not prevent Gelato from extracting and processing anonymous data, such as aggregated knowledge and statistics, from personal data, including for the purpose of product development.

   3. Gelato shall without undue delay inform you in writing if, in its reasonable opinion: (i)an instruction from you will cause Gelato to infringe Applicable Data Protection Law; or (ii) a legal requirement laid down by EU law or law in an EEA/EU country requires Gelato to process personal data beyond the scope of your documented instructions, unless that law prohibits such information on important grounds of public interest (if so, Gelato shall inform you as soon as permitted by law). 

   4. In the event of (i) or (ii), the Parties shall in good faith discuss how to solve the issue without adversely affecting the data protection.

5. ASSISTANCE TO YOU

1. Gelato shall assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to and comply with requests for exercising the data subject's rights laid down in Applicable Data Protection Law.

2. Taking into account the nature of processing and the information available to Gelato, Gelato shall assist you with the obligations pursuant to Articles 32 to 36 of the GDPR, including the obligations of data security (as further described in Clause 6), personal data breach notification (as further described in Clause 9), data protection impact assessments, and prior consultations.

Assistance under this Clause 5, which is performed upon your request, shall be without additional charge up to a maximum of fifteen (15) hours per calendar year. Assistance exceeding such hours shall be payable based on Gelato's ordinary rates.

6. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

1. Gelato shall implement and maintain throughout the term appropriate technical and organizational data security measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access as required pursuant to Article 32 of the GDPR.

2. Gelato's security measures are described in Schedule 1. You acknowledge that Gelato may from time to time make amendments to these measures, provided that the amendments do not adversely affect the level of data security.

3. Gelato shall not disclose or make available the personal data to any third party except with your prior written approval, and except to any sub-processors (subject to Clause 7) on a need-to-know basis.

4. Gelato shall ensure that persons under its control who have access to the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. USE OF SUB-PROCESSORS

1. You authorize Gelato to engage sub-processors. 

2. You are hereby informed that Gelato will continuously add and replace sub-processors for the purpose of maintaining and continuously improving the Services. Gelato shall on the Platform make available an up-to-date list of the sub-processors (identities may be kept confidential if required to comply with confidentiality undertakings). The current list of sub-processors is attached as Schedule 2. You can at any time object to any of the sub-processors. If so, Gelato shall endeavor to deliver the Services without the sub-processor, however you acknowledges that Gelato may then not be able to provide the Services.

3. Sub-processing shall only be done by way of a written agreement with the sub-processor which imposes appropriate data protection obligations on the sub-processors. Where a sub-processor is engaged for carrying out specific processing activities on your behalf, Gelato shall by way of a written agreement impose on the sub-processor the same data protection obligations as set out in the Data Processing Agreement. At your request, Gelato shall provide you with a copy of such written agreement, however commercial and other business sensitive information may be redacted.

4. Gelato remains fully responsible for the performance of the sub-processors' obligations.

8. INTERNATIONAL DATA TRANSFERS

1. Gelato may transfer personal data to a non-EEA country (third country) or an international organization only if it complies with the requirements laid down in the GDPR and only on documented instructions from you.

2. If, subject to Clause 7, the use of a sub-processor requires the transfer of personal data to a third country, you instructinstructs Gelato to transfer personal data to such sub-processor. Gelato shall ensure that the Standard Contractual Clauses are concluded with the sub-processor, if necessary.

3. Gelato may transfer personal data to a third country without instructions so if required by applicable law in the EEA. In such event, Gelato shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (if so, Gelato shall inform you as soon as permitted by law).

9. PERSONAL DATA BREACHES

1. In the event of a personal data breach, Gelato shall without undue delay notify you in writing about the breach.

2. The notification shall, if relevant, and to the extent Gelato has or may reasonably obtain the information, contain:

(a) a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) the identities of the affected data subjects, if possible;

(c) the name and contact details of a contact point of Gelato where more information may be obtained;

(d) a description of the likely consequences of the personal data breach;

(e) a description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; and

(f) other information reasonably required for you to comply with Applicable Data Protection Law.

3. You are solely entitled to and, if required by Applicable Data Protection Law, obliged to notify the relevant supervisory authority and the data subjects about a personal data breach.

4. Gelato shall without undue delay take all those measures reasonably required for the purpose of avoiding the re-occurrence of similar personal data breaches.

10. AUDITS

1. Gelato shall maintain necessary records and make available to you all information reasonably necessary to demonstrate compliance with the Data Processing Agreement and Applicable Data Protection Law.

2. Gelato shall allow for and contribute to audits of Gelato's processing operations conducted by you, or another auditor engaged by you. The audits shall generally be performed by review of audit reports prepared by a third party auditor engaged by Gelato, which will be made available to you upon request.

3. If you can substantiate reasons that justifies additional audit, you is entitled to request further information and to perform on-site audit of Gelato, and, if required, of the sub-processor. The personnel conducting the audit shall be subject to appropriate confidentiality undertakings. A request for audit shall, if possible, be made with at least 14 days' notice. To the extent reasonably possible, audits shall be conducted within ordinary working hours and without obstructing Gelato's activities.

4. Authorities who supervise you have a right to request information from and to conduct audits of Gelato to the same extent as you.

5. A party shall cover its own costs associated with an audit performed under this clause.

6. However, if an audit reveals material deviations from the obligations set out in the Data Processing Agreement, the costs of the audit shall be borne by Gelato, including your reasonable costs and another auditor engaged by you.

11. TERM AND TERMINATION

1. The Data Processing Agreement will remain in force as long as Gelato processes the personal data to provide the Service, pursuant to the Agreement.

2. Upon expiry, Gelato shall, at your choice of, return all the personal data and copies thereof to you or delete all personal data. Return, if chosen, shall take place by means of allowing you to have access to the personal data within a period of ninety (90) days following termination, to enable the extraction of the personal data.

3. You acknowledge that, irrespective of deletion, Gelato may retain personal data in backup in accordance with Gelato's ordinary backup routines, however without using the personal data for any purpose.

SCHEDULE 1 - SECURITY MEASURES

Gelato uses physical, technical, and organizational security measures to safeguard the confidentiality, integrity, and availability of its data, from unauthorized or accidental disclosure.

Gelato maintains a security program aligned to ISO 27000 series and NIST standards. We develop security policies and procedures for the key areas of the organization. All Gelato employees are kept up to date on our security and privacy practices, and regular security awareness training is performed.

Access to the Gelato portal is encrypted and protected (encryption in transit) using strong protocols (TLS) and algorithms. All Gelato servers are hosted in the cloud. Security measures are one of the key criteria based on which we select our cloud providers (currently AWS and Google Inc.). In addition to the cloud providers security measures, we use encryption at rest for the data. Data is regularly backed up in accordance with privacy regulations and accepted best practices for disaster recovery. When payments are processed via credit card, we use third party vendors that are PCI DSS compliant.

Despite these efforts, no information system can be 100% secure, so we cannot guarantee the absolute security of our systems. You also have a role to play in keeping your data safe. We encourage your users to use unique and hard-to-guess passwords for their accounts and not to share them with others. You should only grant access rights to people who you know and trust. You should monitor the accounts regularly. If you suspect that someone has gained unauthorized access to your account, please contact us immediately so that we can investigate.

LIST OF SUBPROCESSORS

Applicable to all modules

Outsourced customer support companies

AWS

Google Inc

GelatoConnect Logistics

Logistics Providers selected by You

GelatoConnect Procurement

Suppliers

Logistics Providers selected by You

GelatoConnect Workflow

Third-party integrations selected by You