DATA PROCESSING AGREEMENT (DPA)
New

Free Mockup Images for all users

DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement (“DPA”) is entered into by and between:

  • The Merchant (“Controller” or “Merchant”), being the entity that has subscribed to the Teeinblue Services (as defined below); and
  • TEEINBLUE PTE. LTD., with registered address at 3 Coleman Street, #03-24 Peninsula Shopping Complex, Singapore (179804) (“Processor” or “Teeinblue”).

This DPA is incorporated into and forms an integral part of the Terms of Service or other main agreement governing the Merchant’s use of the Teeinblue Services (“Main Agreement”) between Teeinblue and the Merchant.

WHEREAS:

(A) The Merchant uses Teeinblue’s application and related services (“Teeinblue Services”), which may involve the processing of Personal Data (as defined below).

(B) Teeinblue will process certain Personal Data on behalf of the Merchant in the course of providing the Teeinblue Services.

(C) The Parties wish to establish their rights and obligations concerning the processing of Personal Data to ensure compliance with Applicable Data Protection Law (as defined below).

IT IS AGREED AS FOLLOWS:

1. Definitions

1.1 In this DPA, the following terms shall have the meanings set out below, and cognate terms shall be construed accordingly:

  • "Affiliate": Any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
  • "Applicable Data Protection Law": The General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and any other applicable data protection or privacy laws to which the Parties are subject in relation to the processing of Personal Data under this DPA.
  • "Controller": Has the meaning given in the Applicable Data Protection Law, referring in this DPA to the Merchant.
  • "Data Subject": Has the meaning given in the Applicable Data Protection Law.
  • "Data Subject Request": A request made by a Data Subject to exercise any rights granted under Applicable Data Protection Law.
  • "Personal Data": Has the meaning given in the Applicable Data Protection Law, specifically referring in this DPA to the Personal Data processed by the Processor on behalf of the Controller in connection with the Teeinblue Services, as further described in Annex 1.
  • "Personal Data Breach": Has the meaning given in the Applicable Data Protection Law.
  • "Processing": Has the meaning given in the Applicable Data Protection Law, and "process", "processes", and "processed" shall be construed accordingly.
  • "Processor": Has the meaning given in the Applicable Data Protection Law, referring in this DPA to Teeinblue.
  • "Standard Contractual Clauses" or "SCCs": The standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor clauses adopted pursuant to Applicable Data Protection Law (including any UK equivalent addendum or clauses).
  • "Sub-processor": Any third-party data processor engaged by Teeinblue or its Affiliates to process Personal Data under this DPA.
  • "Supervisory Authority": Has the meaning given in the Applicable Data Protection Law.
  • "Teeinblue Services": The Teeinblue application and related services provided by Teeinblue to the Merchant under the Main Agreement.

1.2 Capitalized terms not otherwise defined herein shall have the meaning given to them in the Main Agreement.

2. Processing of Personal Data

2.1 Roles of the Parties: The Parties acknowledge and agree that for the purposes of Applicable Data Protection Law, the Merchant is the Controller and Teeinblue is the Processor of the Personal Data described in Annex 1.

2.2 Processor’s Obligations: Teeinblue shall process Personal Data only on behalf of the Merchant and in compliance with the Merchant’s documented instructions, which may include configurations made via the app dashboard, email instructions, or other written communications. These instructions must be lawful. Teeinblue shall immediately inform the Merchant if, in its opinion, an instruction infringes Applicable Data Protection Law. Teeinblue reserves the right to suspend data processing if the Merchant’s instructions violate Applicable Data Protection Law.

2.3 Details of Processing: The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and categories of Data Subjects processed under this DPA are further specified in Annex 1 (Details of Processing).

2.4 Compliance with Laws: Each Party shall comply with its respective obligations under Applicable Data Protection Law.

3. Merchant’s Obligations

3.1 The Merchant warrants that it has complied, and will continue to comply, with Applicable Data Protection Law in respect of its processing of Personal Data and any processing instructions it issues to Teeinblue.

3.2 The Merchant is solely responsible for the lawfulness of the processing of Personal Data, including obtaining any necessary consents or establishing other lawful bases for processing, and for the accuracy, quality, and legality of the Personal Data provided to Teeinblue. The Merchant shall indemnify Teeinblue against any claims arising from the Merchant’s failure to obtain valid consent or lawful basis for processing.

4. Security Measures

4.1 Teeinblue shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access ("Security Measures").

4.2 These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

4.3 Such measures shall include, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.4 A description of the current Security Measures implemented by Teeinblue is set out in Annex 2 (Security Measures). Teeinblue may update or modify these measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Teeinblue Services.

5. Confidentiality

5.1 Teeinblue shall ensure that its personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Sub-processing

6.1 General Authorization: The Merchant grants Teeinblue general written authorization to engage Sub-processors to process Personal Data on the Merchant’s behalf, subject to the requirements of this Section 6.

6.2 Current List and Notification of New Sub-processors: Teeinblue shall maintain an up-to-date list of its current Sub-processors used for the Teeinblue Services, available at [Link to Sub-processor List] (or provided upon request). Teeinblue shall inform the Merchant of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Merchant the opportunity to object to such changes.

6.3 Objection Right: The Merchant may object to the appointment of a new Sub-processor on reasonable data protection grounds by notifying Teeinblue in writing within 14 days after receipt of Teeinblue’s notice. If the Merchant objects, Teeinblue will collaborate with the Merchant to resolve the objection. If the objection cannot be resolved within 30 days, Teeinblue may suspend the affected functionality, and the Merchant shall bear the cost of any vendor changes.

6.4 Sub-processor Obligations: Teeinblue shall enter into a written agreement with each Sub-processor containing data protection obligations substantially similar to those in this DPA, ensuring appropriate technical and organizational measures to meet the requirements of Applicable Data Protection Law.

6.5 Liability: Teeinblue shall remain fully liable to the Merchant for the performance of the Sub-processor’s data protection obligations.

7. Data Subject Rights

7.1 Taking into account the nature of the processing, Teeinblue shall provide reasonable assistance to the Merchant by implementing appropriate technical and organizational measures, insofar as possible, to fulfill the Merchant’s obligation to respond to Data Subject Requests.

7.2 If Teeinblue receives a Data Subject Request directly regarding Personal Data processed on behalf of the Merchant, Teeinblue shall promptly forward such request to the Merchant. Teeinblue shall maintain a record of such Data Subject Requests and actions taken in accordance with Article 30 of the GDPR. The Merchant shall be responsible for responding to all Data Subject Requests.

8. Personal Data Breach

8.1 Teeinblue shall notify the Merchant without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

8.2 Teeinblue shall provide the Merchant with sufficient information (to the extent available) to allow the Merchant to meet any obligations to report the Personal Data Breach to a Supervisory Authority or notify Data Subjects under Applicable Data Protection Law.

8.3 Teeinblue shall take reasonable steps to mitigate the effects and minimize any damage resulting from the Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

9.1 Teeinblue shall provide reasonable assistance to the Merchant with any data protection impact assessments (pursuant to Article 35 GDPR) and prior consultations with Supervisory Authorities (pursuant to Article 36 GDPR) that the Merchant reasonably considers required, taking into account the nature of processing and information available to Teeinblue.

10. Deletion or Return of Personal Data

10.1 Upon termination of the Main Agreement or upon the Merchant’s written request, Teeinblue shall, at the Merchant’s choice, delete or return all Personal Data processed on behalf of the Merchant within 30 days, and delete existing copies unless Applicable Data Protection Law requires retention of the Personal Data.

11. Audits and Inspections

11.1 Teeinblue shall make available to the Merchant all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Merchant or an auditor mandated by the Merchant (subject to reasonable confidentiality undertakings).

11.2 Audits may be conducted no more than once per year, unless required by Applicable Data Protection Law or following a Personal Data Breach. The Merchant shall provide at least 30 days’ notice before conducting an audit. The scope of the audit shall be limited to systems and processes relevant to the processing of Personal Data under this DPA. The costs of such audits shall be borne by the Merchant.

11.3 Teeinblue may provide third-party reports (such as SOC 2 or ISO 27001 certifications) where sufficient to demonstrate compliance, or coordinate a direct audit where legally required or contractually agreed.

12. International Data Transfers

12.1 Teeinblue shall not transfer Personal Data processed under this DPA outside the European Economic Area ("EEA"), Switzerland, or the United Kingdom ("UK") to any country not deemed adequate by the relevant authorities, unless appropriate safeguards compliant with Applicable Data Protection Law are in place.

12.2 Where Personal Data is transferred outside the EEA, Switzerland, or the UK to a country not providing an adequate level of data protection, the Parties agree that the Standard Contractual Clauses (SCCs) shall apply. The applicable modules and details for the SCCs are specified in Annex 5.

13. Liability

13.1 Each Party’s liability arising out of or related to this DPA (whether in contract, tort, or under any other theory of liability) is subject to the limitations on liability set forth in the Main Agreement, provided that such limitations do not apply to liability arising from:

  • Gross negligence or willful misconduct;
  • Breaches of confidentiality obligations;
  • Infringements of the other Party’s intellectual property rights; or
  • Any liability that cannot be limited or excluded by applicable law, including liability under Article 82 of the GDPR.This limitation shall not affect data subject rights under GDPR Article 82.

13.2 Teeinblue’s total aggregate liability for all claims arising under or in connection with this DPA shall not exceed the total amount paid by the Merchant to Teeinblue under the Main Agreement during the 12 months immediately preceding the event giving rise to the liability.

13.3 The Merchant agrees to indemnify and hold harmless Teeinblue against any claims, losses, damages, or expenses incurred by Teeinblue arising from any breach of this DPA or Applicable Data Protection Law by the Merchant, provided that Teeinblue promptly notifies the Merchant of any such claim and allows the Merchant to control the defense and settlement of the claim.

14. Term and Termination

14.1 This DPA shall commence on the date it is agreed upon by the Parties and remain in effect for as long as Teeinblue processes Personal Data on behalf of the Merchant under the Main Agreement.

14.2 Termination of the Main Agreement shall automatically terminate this DPA. Obligations related to confidentiality, return/deletion of data, and liability shall survive termination.

15. Miscellaneous

15.1 Governing Law and Jurisdiction: This DPA shall be governed by the laws of Ireland. The Parties submit to the exclusive jurisdiction of the courts of Ireland.

15.2 Entire Agreement: This DPA, including its Annexes and the relevant provisions of the Main Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements or understandings. In case of conflict between this DPA and the Main Agreement regarding data protection, this DPA shall prevail.

15.3 Amendments: Any amendments to this DPA must be in writing and signed by authorized representatives of both Parties.

15.4 Notices: Notices under this DPA shall be sent in accordance with the notice provisions in the Main Agreement.

15.5 Cooperation with Supervisory Authorities: Teeinblue shall cooperate with any Supervisory Authority in the performance of its tasks, as required by Applicable Data Protection Law.

IN WITNESS WHEREOF, the Parties have caused this Data Processing Agreement to be executed by their duly authorized representatives.

Annex 1: Details of Processing

(A) List of Parties:

  • Data Controller: The Merchant, as defined in the DPA.
  • Data Processor: TEEINBLUE PTE. LTD., as defined in the DPA.

(B) Subject Matter of Processing:

The provision of the Teeinblue Services by the Processor to the Controller, enabling product personalization and related order processing functionalities.

(C) Duration of Processing:

For the term of the Main Agreement between the Parties, plus any period required for data deletion/return as specified in this DPA.

(D) Nature and Purpose of Processing:

  • Nature: Collection, storage, processing, retrieval, use, transfer (to fulfill orders as instructed), structuring, and deletion of Personal Data as necessary to provide the Teeinblue Services functionality requested by the Controller and initiated by the Controller’s end-customers via the Controller’s online store integrated with Teeinblue Services.
  • Purpose: To enable the Controller to offer personalized products to its end-customers, including generating product previews based on end-customer input, storing personalization details associated with orders, and transmitting such details for order fulfillment purposes, all upon the Controller’s instruction via configuration and use of the Teeinblue Services.

(E) Type of Personal Data:

Personal Data submitted by or on behalf of the Controller through the Teeinblue Services, relating to the Controller’s end-customers. This may include:

  • Order Information (e.g., order ID, product details associated with personalization);
  • Personalization Data (e.g., text input, images uploaded, names, dates, or other data provided by the end-customer for product personalization);
  • Identifiers linking the personalization data to the end-customer’s order (e.g., customer name, email, shipping address).

(F) Categories of Data Subjects:

End-customers and prospective end-customers of the Merchant who interact with the product personalization features provided through the Teeinblue Services on the Merchant’s online store.

Annex 2: Security Measures

Teeinblue implements and maintains the following technical and organizational security measures:

  1. Encryption:
    • Data at rest: Encrypted using AES-256.
    • Data in transit: Encrypted using TLS 1.3.
  2. Access Controls:
    • Role-based access control (RBAC) with the principle of least privilege.
    • Multi-factor authentication (MFA) for all administrative access.
    • Regular access reviews conducted quarterly.
  3. Backups and Disaster Recovery:
    • Daily automated backups with a retention period of 30 days.
    • Disaster recovery plan tested annually.
  4. Security Testing:
    • Quarterly vulnerability scans.
    • Annual penetration testing by third-party experts.
  5. Physical Security:
    • Data centers comply with ISO 27001 and SOC 2 standards, with 24/7 monitoring and restricted access.
  6. Incident Response:
    • Documented incident response plan with procedures for identifying, containing, and reporting security incidents.
    • Regular training for staff on security awareness and incident handling.
  7. Certifications:
    • Teeinblue maintains ISO 27001 certification for its information security management system (if applicable).

(Note: The above measures are illustrative. Teeinblue should replace them with actual security practices and certifications specific to their operations.)

Annex 3: List of Sub-processors

The current list of Sub-processors engaged by Teeinblue is maintained at [Link to Sub-processor List] and includes, for example:

  • Amazon Web Services (AWS): Cloud hosting and storage services (Location: EU-West-1 (Ireland)).
  • Google Cloud Platform: Analytics and data processing services (Location: EU-West-1 (Ireland)).
  • Stripe: Payment processing services (Location: EU-West-1 (Ireland)).

Teeinblue shall ensure the list is always up-to-date and notify the Merchant of any changes at least 30 days in advance.

Annex 4: Record of Processing Activities

In accordance with Article 30(2) of the GDPR, Teeinblue shall maintain a record of processing activities carried out on behalf of the Merchant, which shall include:

  • The name and contact details of the Processor and the Controller;
  • The categories of processing carried out;
  • Transfers of Personal Data to a third country (if applicable);
  • A general description of the technical and organizational security measures.

This record shall be made available to the Merchant upon request.

Annex 5: Standard Contractual Clauses (SCCs)

For the purposes of international data transfers, the Parties agree to the following:

  • Applicable Module: Module Two (Controller to Processor) of the Standard Contractual Clauses (EU 2021/914) shall apply.
  • Governing Law: The SCCs shall be governed by the laws of Ireland.
  • Jurisdiction: Any disputes arising from the SCCs shall be resolved by the courts of Ireland.
  • Details: The information required by the SCCs is set out in Annex 1 (Details of Processing) and Annex 2 (Security Measures) of this DPA.

(Note: If Teeinblue uses Sub-processors outside the EEA, additional modules or agreements may be required. Legal counsel should review this section.)

 

You can find the full details of the Data Processing Agreement at the link below

DATA PROCESSING AGREEMENT