This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the Evermile Terms and Conditions Agreement (“Principal Agreement”), entered into by and between the Merchant (as defined in the Principal Agreement) (“Customer”) and Evermile UK Limited (“Evermile”), pursuant to which Merchant has facilitated Delivery Services through the Evermile Platform (the DPA together with the Principal Agreement – “Agreement"). Evermile and Customer are hereinafter jointly referred to as “Parties” and individually as “Party”. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Capitalized terms used in this Agreement that are not defined inline are defined in Section 13, otherwise shall have the meaning given to them in the Principal Agreement.
2. Customer Obligations.
Customer shall comply with all applicable privacy, consumer, marketing, spam and other relevant laws in connection with the performance of this DPA. As between the Parties, Customer shall be solely responsible for compliance with its relevant laws (including Applicable Laws) regarding the collection of and transfer to Evermile (and its service providers and partners) of Customer Personal Data. Customer agrees not to provide Evermile with any special categories of data. Customer shall defend, indemnify and hold harmless Evermile, its Affiliates and subsidiaries (including their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by Customer and/or its authorized users of any applicable laws and/or this DPA.
3. Evermile Personnel.
Evermile shall take reasonable steps to ensure that access to the Customer Personal Data is limited on a need to know/access basis, and that all Evermile personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Customer’s Personal Data. Notwithstanding the foregoing, Evermile may disclose and Process Customer Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by Applicable Laws (in such a case, Evermile shall inform the Customer of the legal requirement before the disclosure, unless these Laws prohibit such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.
4. Security.
Evermile shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures identified under Annex 4 (Technical and Organizational Measures) to ensure an appropriate level of security, including, as appropriate and applicable, the measures referred to in Applicable Laws, aimed to ensure the ongoing confidentiality, security of Processing systems and services in connection with the Processing of the Customer’s Personal Data, and aimed to restore the availability and access to Customer’s Personal Data in a timely manner in the event of a physical or technical incident.
5. Sub Processing.
5. 1. Customer hereby authorizes Evermile and each Evermile Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 5 to appoint) Sub Processors in accordance with this Section 5 and any restrictions in the Agreement.
5. 2. Evermile and each Evermile Affiliate may continue to use those Sub Processors already engaged by Evermile or any Evermile Affiliate as of the date of this DPA as identified in Annex 3 to this DPA (List of authorized Sub Processors), which are hereby deemed approved by Customer, including for the purpose of cloud hosting services Sub Processors, as well as any Sub Processors whom Customer requested Evermile to use.
5. 3. Customer hereby authorizes Evermile and each Evermile Affiliate to appoint new Sub Processors and Customer hereby grants a general written authorization for the appointment of any new Sub Processor. Evermile shall notify Customer of the new appointment (for instance by e-mail or an in-Platform update) and allow Customer to object. Customer shall have three (3) days from such notice to notify Evermile in writing of any objections (on reasonable Applicable Laws-related grounds) to the proposed appointment. Failure to object to such Sub Processor in writing within three (3) days following Evermile’s notice shall be deemed as acceptance of the Sub Processor. In the event Customer reasonably objects to a Sub Processor, as permitted in the preceding sentences, Evermile shall use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Customer Personal Data by the objected-to Sub Processor without unreasonably burdening Customer. If Evermile is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, then, as a sole remedy, Customer or Evermile may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination, provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Evermile. Until a decision is made regarding the Sub Processor, Evermile may temporarily suspend the Processing of the affected Customer Personal Data. Customer will have no further claims against Evermile due to the termination of the Agreement (including, without limitation, requesting refunds) in the situation described in this Section 5.
5. 4. With respect to each new Sub Processor, Evermile shall have in place a data processing agreement between Evermile and the Sub Processor, including terms which offer a materially similar level of protection for Customer Personal Data as those set out in this DPA that meet the requirements of Applicable Laws.
6. Data Subject Rights.
6. 1. Customer shall be responsible for compliance with its obligations concerning requests to exercise Data Subject rights under Applicable Laws (e.g., for access, rectification, deletion of Customer Personal Data, etc.). Taking into account the nature of the Processing, Evermile shall reasonably endeavour to assist Customer insofar as commercially feasible, to fulfil Customer's said obligations with respect to such Data Subject requests, as applicable, at Customer’s sole expense.
6.2. Evermile shall: (i) unless otherwise required under applicable laws, promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and (ii) not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which Evermile is subject, in which case Evermile shall, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before it responds to the request.
7. Personal Data Breach.
Evermile shall notify Customer without undue delay upon Evermile becoming aware of a Personal Data Breach affecting Customer Personal Data, in connection with the Processing of such Customer Personal Data by Evermile or Evermile Affiliates. In such event and as Evermile deems necessary, possible and reasonable, Evermile shall provide Customer with information (to the extent in Evermile’s possession) to assist Customer to meet any obligations to inform Data Subjects or data protection authorities of the Personal Data Breach under the Applicable Laws. At the written request of the Customer, Evermile shall reasonably cooperate with Customer and take such commercially reasonable steps as are agreed by the parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Customer’s sole expense. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users and end-customers, or are otherwise unrelated to the provision of the Services.
8. Data Protection Impact Assessment and Prior Consultation.
At the written request of the Customer, Evermile and each Evermile Affiliate shall provide reasonable assistance to Customer, at Customer's cost and expenses, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Applicable Laws. Such assistance shall be solely in relation to Processing of Customer Personal Data by Evermile.
9. Deletion of Customer Personal Data.
Subject to this Section 9, Evermile shall promptly and in any event within up to sixty (60) days of the date of cessation of any Services involving the Processing of Customer Personal Data, delete or pseudonymize all copies of those Customer Personal Data, except such copies as authorized including under this DPA or required or allowed to be retained by Evermile in accordance with Applicable Laws and/or regulation, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws .
10. Audit Rights.
10. 1. To the extent required under Applicable Laws, subject to Sections 10.2 and 10.3, Evermile shall make available to a reputable independent auditor mandated by Customer that is not a competitor of Evermile, upon Customer's prior written request and at reasonable intervals, a copy or a summary of Evermile’s then most recent third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Evermile’s prior written approval and, upon Evermile’s first request, Customer shall return all records or documentation in Customer’s possession or control provided by Evermile in the context of the audit and/or the certification), and shall allow for audits, including inspections, by such reputable auditor in relation to the Processing of the Customer Personal Data by Evermile, provided that such third-party auditor shall be subject to confidentiality obligations and that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, personal data that does not belong to Customer.
10.2. Provisions of information and audits are and shall be at Customer’s sole cost and expenses and may only arise under Section 10.1 to the extent that the Agreement does not otherwise give Customer information and audit rights meeting the relevant requirements of the applicable Applicable Laws. In any event, all audits or inspections shall be subject to the terms of the Agreement, and to Evermile's obligations to third parties, including with respect to confidentiality.
10.3. Customer shall give Evermile reasonable prior written notice of any audit or inspection to be conducted under Section 10.1 and shall not cause (and ensure that each of its mandated auditors does not cause) any damage, injury or disruption to Evermile’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Evermile need not give access to its premises for the purposes of such an audit or inspection: to any individual unless he or she produces reasonable evidence of identity and authority; (ii) if Evermile was not given a written notice of such audit or inspection at least 2 weeks in advance; (iii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer has given notice to Evermile that this is the case before attendance outside those hours begins, and; (iv) for premises outside Evermile's control (such as data storage farms of Evermile's cloud hosting providers).
11. Restricted Transfers.
11.1. Processing of Personal Data shall be carried out by Evermile exclusively within the EU / EEA or the United Kingdom or Israel, unless otherwise previously explicitly approved in writing by the Customer. The approval shall be deemed granted for Sub Processors enumerated in the table Annex 3 below. Evermile undertakes to ensure that the transfer of Customer Personal Data outside the EU / EEA or the United Kingdom to countries that do not offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission(e.g., Israel), if applicable, is carried out on the basis of the Standard Contractual Clauses.
11. 2 o the extent one Party that is subject to the Applicable Laws transfers Personal Data to the other Party who has its place of business in a Third Country that has not been recognized by the European Commission as an Adequate Country, the terms of the transfer between the Parties shall be governed by the EU Standard Contractual Clauses incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA, in the extent applicable to the transfer. The particular roles of the Parties, the applicable extent, and the relevant modules of the EU Standard Contractual Clauses that will apply to such transfers are defined in Section A of Annex 2. Section A of Annex 2 includes all necessary information that is required in the Appendix to the EU Standard Contractual Clauses.
11.3. To the extent one Party transfers Personal Data from the United Kingdom to the other Party who has its place of business in a Third Country that has not been recognized as an Adequate Country under the UK GDPR, the terms of the transfer between the Parties shall be governed by the UK Addendum that is incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA, as applicable to the transfer. The Parties agree the UK Addendum is appended to the EU Standard Contractual Clauses as modified (including the selection of modules and disapplication of optional clauses) by Section 12.2 and Section A of Annex 2. Section B of Annex 2 includes all necessary information that is required in Part 1 of the UK Addendum.
12. Governing Law and Jurisdiction.
The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
13. Order of Precedence.
Nothing in this DPA reduces Evermile’s obligations under the Agreement in relation to the protection of Personal Data or permits Evermile to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originate from the requirements of Applicable Laws (except where explicitly agreed otherwise in writing, signed on behalf of the Parties). This DPA is not intended to, and does not in any way limit or derogate from Customer’s own obligations and liabilities towards Evermile under the Agreement and/or pursuant to any Applicable Laws, in connection with the collection, handling and use of Personal Data by Customer or its Affiliates or other processors or their sub-processors, including with respect to the transfer or provision or Personal Data to Evermile and/or providing access thereto to Evermile.
14. Changes in Applicable Laws.
Customer may by at least forty-five (45) calendar days' prior written notice to Evermile, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Applicable Law, to allow Processing of those Customer Personal Data to be made (or continue to be made) without breach of that Applicable Law; and if Customer gives notice with respect to its request to modify this DPA under this Section 13; Evermile shall make commercially reasonable efforts to accommodate such modification request; and Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Evermile to protect Evermile against additional risks, or to indemnify and compensate Evermile for any further steps and costs associated with the variations made herein. If Customer gives notice under this Section 14, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer's notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days, then Customer or Evermile may, by written notice to the other Party, with immediate effect and as its sole remedy, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).
15. Severance.
Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
16. Definitions.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
“Applicable Laws” means the GDPR and the United Kingdom General Data Protection Regulation and the UK Data Protection Act of 2018;
“Customer Personal Data” means any Personal Data Processed by Evermile on behalf of Customer pursuant to or in connection with the Agreement;
“EU SCC" or “EU Standard Contractual Clauses” mean the annex to the EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the council as shall be amended from time to time (including without limitation, the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June, 2021), in all cases incorporating the Relevant Amendments (as defined above). Upon the effective date of adoption for any revised standard contractual clauses by the European Commission, all references in this DPA to the "EU SCCs” shall refer to that latest version and the parties shall cooperate to prepare such amendments to this DPA, including the Relevant Amendments, as may be required to take into account and give effect to the European Commission’s adoption of the revised standard contractual clauses. In the event of any conflict or inconsistency between the terms of this DPA and the provisions of the EU SCC (to the extent the latter has been entered into by the parties pursuant to Section 12.2 (Restricted Transfers) below), the provisions of the EU SCC shall prevail;
“GDPR” means EU General Data Protection Regulation 2016/679 and any subsequent amendments, replacements or supplements;
“Relevant Amendments" means the amendments to the EU SCC and the UK Addendum identified under Annex 2 (Standard Contractual Clauses);
“Restricted Transfer” means (i) a transfer of Customer Personal Data from Customer to Evermile; or (ii) an onward transfer of Customer Personal Data from Evermile to a Sub Processor, or between two establishments of Evermile, in each case, where such transfer would be prohibited by Applicable Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Laws) in the absence of a legal transfer mechanism to be established under this DPA, including without limitation the applicable Standard Contractual Clauses;
“Sub Processor” means any third party (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Evermile or any Evermile Affiliate to Process Personal Data on behalf of the Customer in connection with the Principal Agreement;
“Standard Contractual Clauses” or “SCCs” means the EU SCC and the UK Addendum as defined herein, and as applicable to the transfers of Personal Data pursuant to this DPA;
“UK Addendum” means the International Data Transfer Addendum to the EU Commission standard contractual clauses issued by the UK Information Commissioner’s Office (version, B1.0, in force March 21st, 2022); and
“UK GDPR” means the United Kingdom’s Data Protection Act 2018 and the GDPR as adapted into law of the United Kingdom by virtue of section 3 of the United Kindgom’s European Union (Withdrawal) Act 2018;
The terms, “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Special Categories of Data,” “Process/Processing,” “Controller,” “Processor,” and “Supervisory Authority” shall have the same meanings given to them in the GDPR and/or UK GDPR (or another applicable Data Protection Law).
Details of Processing of Customer Personal Data
This Annex 1 includes certain details of the Processing of Customer authorized user Personal Data as required by by applicable laws.
Subject Matter and Duration of the Processing of Customer Personal Data. The subject matter and duration of the Processing of the Customer Personal Data are set out in the Principal Agreement.
The nature and purpose of the Processing of Customer Personal Data: Evermile’s Processing activities with respect to Customer Personal Data include the collection, organization, structuring, storage, adaptation or alteration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction of data (whether or not by automated means) as necessary to provide the Evermile services under the Principal Agreement.
The types of Customer Personal Data to be Processed are as follows:
(a) Customer Data (to the extent considered Personal Data): (i) Customer name, and/or other details; (ii) Customer address, store and/or warehouse location and/or pick-up location(s); (iii) Customer and Customer users' contact details e.g. phone number, email address; (iii) IP address; (iv) payment details; and (v) Any additional information requested by Evermile to ensure Customer can use the Platform and receive Services by Evermile.
(b) Delivery and End-Customer Data: (i) End-Customer name, username, email address, address, phone number, IP address and other personal and contact details; (ii) Delivery content and instructions - Package type, size, weight and content; (iii) End-Customer preferred delivery time window and delivery SLA; (iv) Proof of delivery instructions, and; (v) any additional information requested by Evermile to ensure Customers and End-Customers can use the Platform and receive services by Evermile.
For the avoidance of doubt, the information subject to the Evermile’s privacy policy (e.g., log-in details and analytics information) available here: https://www.evermile.io/privacy-policy shall not be subject to the terms of this DPA.
The categories of Data Subjects to whom the Customer Personal Data relates to are as follows:
Customer's End-Customers. Customer’s personnel.
The obligations and rights of Customer. The obligations and rights of Customer and Customer Affiliates are set out in the Agreement.
Standard Contractual Clauses
A. EU Standard Contractual Clauses
For the purposes of the EU Standard Contractual Clauses, the Parties agree on the following:
(i) Module One and Module four language shall be deleted.
(ii) Clause 7 (Docking Clause) does not apply.
(iii) For Clause 9 (Use of sub-processors) (a), Option 2 applies with a 3-days time period.
(iv) The optional paragraph under Clause 11 (Redress) (a) does not apply.
(v)For Clause 17 (Governing law), Option 1 applies. The EU Standard Contractual Clauses shall be governed by the laws of Ireland.
(vi) For Clause 18 (Choice of forum and jurisdiction), any dispute arising from the EU Standard Contractual Clauses shall be resolved by the courts of Ireland.
B. UK Addendum
Evermile shall implement and maintain adequate information security controls to protect against unauthorized access to or use of Customer Personal Data. Evermile is implementing and maintaining the following information security controls (collectively, the “Information Security Controls”):
(a) which protect the confidentiality, integrity, and authenticity of Personal Data so that it is processed, used, maintained and disclosed only as necessary for the specific purpose for which this information was disclosed to Evermile and only in accordance with this DPA;
(b) access controls on information systems, including controls to authenticate, permit, remove, and audit access, which ensures only the authorized officers, directors, employees, consultants, attorneys, accountants, agents and independent subcontractors (and their employees) and other representatives or other third parties who have a need to know have access to such Personal Data to fulfil Evermile’s obligations under Applicable Laws;
(c) effective monitoring systems, qualified personnel, and procedures to detect and respond to actual and attempted attacks on or intrusions into information systems;
(d) industry standard backup controls and measures to protect against destruction, loss or damage of Personal Data due to breach of integrity, authenticity, and/or potential environmental hazards, such as fire and water damage; and
(e) regular testing of key controls, systems and procedures of these Information Security Controls.
