Evermile Data Processing
Last Updated: 2 October 2022
This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the Evermile Terms and Conditions Agreement (“Principal Agreement”), entered into by and between the Merchant as defined in the Principal Agreement) (“Customer”) and Evermile UK Limited (“Evermile”), pursuant to which Merchant has facilitated a Delivery Services through the Evermile Platform (the DPA together with the Principal Agreement – “Agreement"). Evermile and Customer are hereinafter jointly referred to as “Parties” and individually as “Party.” Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Capitalized terms used in this Agreement that are not defined inline are defined in Section 13, otherwise shall have the meaning given to them in the Principal Agreement.
1. Processing of Customer Personal Data.
1. 1 This DPA shall only apply with respect to Personal Data obtained by Evermile as a result of Customer’s use of Evermile’s Services, as described in Annex 1 (Details of Processing of Customer Personal Data) attached hereto. Without derogating from the provisions of the Agreement, solely Customer (and not Evermile) shall be liable for any excess Customer Personal Data provided or otherwise made available to Evermile or any Sub Processor in the course of providing Evermile's Services under the Agreement or this DPA. Evermile shall process Customer Personal Data solely as a data Processor acting on behalf of Customer and Customer shall be deemed the Controller of such Personal Data.
1. 2 Evermile shall not Process Customer Personal Data other than according to the Customer’s documented reasonable and customary instructions as specified in the Agreement or this DPA, which were specifically and explicitly agreed to by Evermile, unless such Processing is required by Applicable Laws. Evermile shall inform the Customer of such legal requirement before processing unless the law prohibits such action on public interest grounds.
1. 3 Customer instructs Evermile (and authorizes Evermile to instruct each Sub Processor) to (i) Process Customer Personal Data only to the extent required for the provision of Evermile’s Services under the Agreement; and, in particular (ii) transfer Customer Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with Sections 2.1-2.2 above, Section 12 below, and the Agreement, and in accordance with Applicable Laws.
1. 4 Furthermore, Customer warrants and represents that it is and will remain duly and effectively authorized to give the instruction set out in Section 1.1 and any additional instructions as provided pursuant to the Agreement and/or in connection with the performance thereof, on behalf of itself and each relevant Customer Affiliate, at all relevant times and at least for as long as the Agreement is in effect and for any additional period during which Evermile is lawfully processing the Customer Personal Data. In addition, Customer warrants and represents that it has obtained all permissions, consents, authorizations and approvals, including by making all notices, required for it to allow Evermile to access and process personal data as permitted hereunder.
1. 5 Customer sets forth the details of the Processing of Customer Personal Data, as required by Article 28(3) of the GDPR in Annex 1 (Details of Processing of Customer Personal Data), attached hereto.
2. Customer Obligations. Customer shall comply with all applicable laws in connection with the performance of this DPA. As between the Parties, Customer shall be solely responsible for compliance with applicable laws (including Data Protection Laws) regarding the collection of and transfer to Evermile of Customer Personal Data. Customer agrees not to provide Evermile with any special categories of data, as defined in Article 9 of the GDPR, other than as provided in Annex 1.
3. Evermile Personnel. Evermile shall take reasonable steps to ensure that access to the Customer Personal Data is limited on a need to know/access basis, and that all Evermile personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Customer’s Personal Data.
4. Security. Evermile shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures identified under Annex 4 (Technical and Organizational Measures) to ensure an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR, to ensure an appropriate level of security for the Customer’s Personal Data, which has to be sustained throughout the entire duration of this DPA, aimed to ensure the ongoing confidentiality, security of Processing systems and services in connection with the Processing of the Customer’s Personal Data, and aimed to restore the availability and access to Customer’s Personal Data in a timely manner in the event of a physical or technical incident. In assessing the appropriate level of security, Evermile shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Sub Processing.
5. 1 Customer authorizes Evermile and each Evermile Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 5 to appoint) Sub Processors in accordance with this Section 5 and any restrictions in the Agreement.
5. 2 Evermile and each Evermile Affiliate may continue to use those Sub Processors already engaged by Evermile or any Evermile Affiliate as of the date of this DPA as identified in Annex 3 to this DPA (List of authorized Sub Processors), including for the purpose of cloud hosting services by reputable Sub Processors, as well as any Sub Processors whom Customer requested Evermile to use.
5. 3 Evermile may appoint new Sub Processors and shall give prior notice of the appointment of any new Sub Processor (for instance by e-mail), whether by general or specific reference to such Sub Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub Processor. If, within seven (7) days of such notice, Customer notifies Evermile in writing of any objections (on reasonable grounds) to the proposed appointment, Evermile shall not appoint for the processing of Customer Personal Data the proposed Sub Processor until reasonable steps have been taken to address the objections raised by Customer, and Customer has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve \ Customer’s reasonable objections then Customer or Evermile may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination. Otherwise, Customer shall be deemed to have accepted such appointment.
5. 4 With respect to each new Sub Processor, Evermile shall: (i) Before the Sub Processor first Processes Customer Personal Data, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that the Sub Processor is committed to provide the level of protection for Customer Personal Data required by the Agreement; and; (ii) Ensure that the arrangement between Evermile and the Sub Processor is governed by a written contract, including terms which offer a materially similar level of protection for Customer Personal Data as those set out in this DPA that meet the requirements of Data Protection Laws.
6. Data Subject Rights.
6. 1 Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Customer Personal Data, etc.). Taking into account the nature of the Processing, Evermile shall reasonably endeavour to assist Customer insofar as feasible, to fulfil Customer's said obligations with respect to such Data Subject requests, as applicable, at Customer’s sole expense.
6. 2 Evermile shall: (i) unless otherwise required under applicable laws, promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and (ii) ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which Evermile is subject, in which case Evermile shall, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before it responds to the request.
7. Personal Data Breach. Evermile shall notify Customer without undue delay upon Evermile becoming aware of a Personal Data Breach affecting Customer Personal Data, in connection with the Processing of such Customer Personal Data by Evermile or Evermile Affiliates. In such event, Evermile shall provide Customer with information (to the extent in Evermile’s possession) to assist Customer to meet any obligations to inform Data Subjects or data protection authorities of the Personal Data Breach under the Data Protection Laws. At the written request of the Customer, Evermile shall reasonably cooperate with Customer and take such commercially reasonable steps as are agreed by the parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Customer’s sole expense.
8. Data Protection Impact Assessment and Prior Consultation. At the written request of the Customer, Evermile and each Evermile Affiliate shall provide reasonable assistance to Customer, at Customer 's expense, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to Processing of Customer Personal Data by Evermile.
9. Deletion or return of Customer Personal Data. Subject to this Section 9, Evermile shall promptly and in any event within up to sixty (60) days of the date of cessation of any Services involving the Processing of Customer Personal Data, delete or pseudonymize all copies of those Customer Personal Data, except such copies as authorized including under this DPA or required to be retained by Evermile in accordance with applicable law and/or regulation. Subject to the Agreement, Evermile may retain Customer Personal Data to the extent authorized or required by applicable laws, provided that Evermile shall ensure the confidentiality of all such Customer Personal Data and shall ensure that it is only processed for such legal purpose(s).
10. Audit Rights.
10. 1 To the extent required under applicable Data Protection Laws, subject to Sections 10.2 and 10.3, Evermile shall make available to a reputable independent auditor mandated by Customer in coordination with Evermile, upon prior written request, such information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor in relation to the Processing of the Customer Personal Data by Evermile, provided that such third-party auditor shall be subject to confidentiality obligations.
10. 2 Provisions of information and audits are and shall be at Customer’s sole expense and may only arise under Section 10.1 to the extent that the Agreement does not otherwise give Customer information and audit rights meeting the relevant requirements of the applicable Data Protection Laws. In any event, all audits or inspections shall be subject to the terms of the Agreement, and to Evermile's obligations to third parties, including with respect to confidentiality.
10. 3 Customer shall give Evermile reasonable prior written notice of any audit or inspection to be conducted under Section 10.1 and shall not cause (and ensure that each of its mandated auditors does not cause) any damage, injury or disruption to Evermile’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Evermile need not give access to its premises for the purposes of such an audit or inspection: to any individual unless he or she produces reasonable evidence of identity and authority; (ii) if Evermile was not given a written notice of such audit or inspection at least 2 weeks in advance; (iii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer has given notice to Evermile that this is the case before attendance outside those hours begins, and; (iv) for premises outside Evermile's control (such as data storage farms of Evermile's cloud hosting providers)
11. Restricted Transfers.
11. 1 Processing of Personal Data shall be carried out by Evermile exclusively within the EU / EEA or the United Kingdom, unless otherwise previously explicitly approved in writing by the Customer. The approval shall be deemed granted for Sub Processors enumerated in the table Annex 3 below. Evermile undertakes to ensure that the transfer of personal data outside the EU / EEA or the United Kingdom, if applicable, is carried out on the basis of the Standard Contractual Clauses.
11. 2 To the extent one Party that is subject to the GDPR transfers Personal Data to the other Party who has its place of business in a Third Country that has not been recognized by the European Commission as an Adequate Country, the terms of the transfer between the Parties shall be governed by the EU Standard Contractual Clauses incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA, in the extent applicable to the transfer. The particular roles of the Parties, the applicable extent, and the relevant modules of the EU Standard Contractual Clauses that will apply to such transfers are defined in Section A of Annex 2. Section A of Annex 2 includes all necessary information that is required in the Appendix to the EU Standard Contractual Clauses.
11. 3 To the extent one Party transfers Personal Data from the United Kingdom to the other Party who has its place of business in a Third Country that has not been recognized as an Adequate Country under the UK GDPR, the terms of the transfer between the Parties shall be governed by the UK Addendum that is incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA, as applicable to the transfer. The Parties agree the UK Addendum is appended to the EU Standard Contractual Clauses as modified (including the selection of modules and disapplication of optional clauses) by Section 12.2 and Section A of Annex 2. Section B of Annex 2 includes all necessary information that is required in Part 1 of the UK Addendum.
12. Governing Law and Jurisdiction. The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
13. Order of Precedence. Nothing in this DPA reduces Evermile’s obligations under the Agreement in relation to the protection of Personal Data or permits Evermile to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originate from the requirements of Article 28 of the GDPR (except where explicitly agreed otherwise in writing, signed on behalf of the Parties). This DPA is not intended to, and does not in any way limit or derogate from Customer’s own obligations and liabilities towards Evermile under the Agreement, and/or pursuant to the GDPR or any law applicable to Customer, in connection with the collection, handling and use of Personal Data by Customer or its Affiliates or other processors or their sub-processors, including with respect to the transfer or provision or Personal Data to Evermile and/or providing access thereto to Evermile.
14. Changes in Data Protection Laws. Customer may by at least forty-five (45) calendar days' prior written notice to Evermile, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Data Protection Law, to allow Processing of those Customer Personal Data to be made (or continue to be made) without breach of that Data Protection Law; and if Customer gives notice with respect to its request to modify this DPA under Section 14; Evermile shall make commercially reasonable efforts to accommodate such modification request; and Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Evermile to protect Evermile against additional risks, or to indemnify and compensate Evermile for any further steps and costs associated with the variations made herein. If Customer gives notice under Section 14, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer's notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days, then Customer or Evermile may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).
15. Severance. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which Customer is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer Personal Data in respect of which the Customer is subject to any other Data Protection Laws;
“Customer Personal Data” means any Personal Data Processed by Evermile on behalf of Customer pursuant to or in connection with the Agreement;
“Data Protection Laws” means (a) EU Data Protection Laws; (b) the UK GDPR; and (c) to the extent applicable, the data protection or privacy laws of any other applicable country as agreed in writing between the Parties, including in the United States and Israel;
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
“EU SCC" or “EU Standard Contractual Clauses” mean the annex to the EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the council as shall be amended from time to time (including without limitation, the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June, 2021), in all cases incorporating the Relevant Amendments (as defined above). Upon the effective date of adoption for any revised standard contractual clauses by the European Commission, all references in this DPA to the "EU SCCs” shall refer to that latest version and the parties shall cooperate to prepare such amendments to this DPA, including the Relevant Amendments, as may be required to take into account and give effect to the European Commission’s adoption of the revised standard contractual clauses. In the event of any conflict or inconsistency between the terms of this DPA and the provisions of the EU SCC (to the extent the latter has been entered into by the parties pursuant to Section 12.2 (Restricted Transfers) below), the provisions of the EU SCC shall prevail;
“GDPR” means EU General Data Protection Regulation 2016/679 and any subsequent amendments, replacements or supplements;
“Relevant Amendments" means the amendments to the EU SCC and the UK Addendum identified under Annex 2 (Standard Contractual Clauses).
“Restricted Transfer” means (i) a transfer of Customer Personal Data from Customer to Evermile; or (ii) an onward transfer of Customer Personal Data from Evermile to a Sub Processor, or between two establishments of Evermile, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of a legal transfer mechanism to be established under this DPA, including without limitation the applicable Standard Contractual Clauses;
“Sub Processor” means any third party (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Evermile or any Evermile Affiliate to Process Personal Data on behalf of the Customer in connection with the Principal Agreement; and
“Standard Contractual Clauses” or “SCCs” means the EU SCC and the UK Addendum as defined herein, and as applicable to the transfers of Personal Data pursuant to this DPA;
“UK Addendum” means the International Data Transfer Addendum to the EU Commission standard contractual clauses issued by the UK Information Commissioner’s Office (version, B1.0, in force March 21st, 2022);
“UK GDPR” means the United Kingdom’s Data Protection Act 2018 and the GDPR as adapted into law of the United Kingdom by virtue of section 3 of the United Kindgom’s European Union (Withdrawal) Act 2018; and
The terms, “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Special Categories of Data,” “Process/Processing,” “Controller,” “Processor,” and “Supervisory Authority” shall have the same meanings given to them in the GDPR (or another applicable Data Protection Law).
Annex 1 - Details of Processing of Customer Personal Data
This Annex 1 includes certain details of the Processing of Customer authorized user Personal Data as required by Article 28(3) or 28(4) GDPR.
Subject Matter and Duration of the Processing of Customer Personal Data. The subject matter and duration of the Processing of the Customer Personal Data are set out in the Principal Agreement.
The nature and purpose of the Processing of Customer Personal Data: Evermile’s Processing activities with respect to Customer Personal Data include the collection, organization, structuring, storage, adaptation or alteration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction of data (whether or not by automated means) as necessary to provide the Evermile services under the Principal Agreement.
The types of Customer Personal Data to be Processed are as follows:
a) Merchant Data: (i) Merchant details; (ii) Delivery address, store location and/or pick-up location(s); (iii) Merchant contact details; (iii) Any additional information requested by Evermile to ensure Customers and End-Customers can use the Platform and receive services by Evermile.
b) Delivery and End-Customer Data: (i) End-Customer name, username, address and other personal and contact details; (ii) Delivery content and instructions - Package type, size, weight and content; (iii) End-Customer preferred delivery time window and delivery SLA; (iv) Proof of delivery instructions, and; (v) any additional information requested by Evermile to ensure Customers and End-Customers can use the Platform and receive services by Evermile.
The categories of Data Subjects to whom the Customer Personal Data relates to are as follows:
Customer's End-Customers. Customer’s personnel.
The obligations and rights of Customer. The obligations and rights of Customer and Customer Affiliates are set out in the Agreement.
Annex 2 - STANDARD CONTRACTUAL CLAUSES
A. EU Standard Contractual Clauses
For the purposes of the EU Standard Contractual Clauses, the Parties agree on the following:
(i) Module One and Module four language shall be deleted.
(ii) Clause 7 (Docking Clause) does not apply.
(iii) For Clause 9 (Use of sub-processors) (a) (only for MODULE TWO: Transfer controller to processor and MODULE THREE: Transfer processor to processor), Option 1 applies with a 30-day time period.
(iv) The optional paragraph under Clause 11 (Redress) (a) does not apply.
(v) For Clause 17 (Governing law) (only for MODULE TWO: Transfer controller to processor and MODULE THREE: Transfer processor to processor), Option 1 applies. The EU Standard Contractual Clauses shall be governed by the law of Ireland.
(vi) For Clause 18 (Choice of forum and jurisdiction), any dispute arising from the EU Standard Contractual Clauses shall be resolved by the courts of Ireland.
The following modules of the EU Standard Contractual Clauses apply to the transfers under this DPA:
☒ MODULE TWO: Transfer controller to processor
☐ MODULE THREE: Transfer processor to processor
For the avoidance of doubt, modules not checked above do not apply to the transfers under this DPA.
B. UK Addendum
Annex 3 - List of authorized Sub Processors
Annex 4 - Technical and Organizational Measures
Evermile shall implement and maintain adequate information security controls to protect against unauthorized access to or use of Customer Personal Data. Evermile is implementing and maintaining the following information security controls (collectively, the “Information Security Controls”):
a. which protect the confidentiality, integrity, and authenticity of Personal Data so that it is processed, used, maintained and disclosed only as necessary for the specific purpose for which this information was disclosed to Evermile and only in accordance with this DPA;
b. access controls on information systems, including controls to authenticate, permit, remove, and audit access, which ensures only the authorized officers, directors, employees, consultants, attorneys, accountants, agents and independent subcontractors (and their employees) and other representatives or other third parties who have a need to know have access to such Personal Data to fulfil Evermile’s obligations under applicable law;
c. effective monitoring systems, qualified personnel, and procedures to detect and respond to actual and attempted attacks on or intrusions into information systems;
d. industry standard backup controls and measures to protect against destruction, loss or damage of Personal Data due to breach of integrity, authenticity, and/or potential environmental hazards, such as fire and water damage; and
e. regular testing of key controls, systems and procedures of these Information Security Controls.