This Data Processing Addendum (“DPA”) amends and supplements any existing and currently valid Agreement(s) (the “Agreement(s)”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and BridalLive Software, LLC, d/b/a BridalLive (together with its subsidiary and affiliated entities, collectively, “Processor”) and is hereby incorporated by reference into the Agreement(s).

WHEREAS, Processor provides to Customer bridal web solutions (collectively, the “Service”) pursuant to the Agreement. In connection with the Service, the parties anticipate that Processor may process outside of the European Economic Area (“EEA”) and United Kingdom, certain Personal Data (as defined below) in respect of which Customer may be a data controller under applicable EU Data Protection Laws (as defined below); and

WHEREAS, the parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by EU Data Protection Laws.

NOW THEREFORE, the parties agree as follows:

1. Defined Terms. Terms used but not defined in the Addendum, such as “personal data breach”, “processing”, “controller”, “processor” and “data subject”, will have the same meaning as set forth in Article 4 of the GDPR. In addition, the following definitions are used in the Addendum:

1. “EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR.
2. “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
3. “Personal Data” means any information relating to an identified or identifiable natural person located in the European Economic Area and United Kingdom. An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. Effective Date. This DPA is effective on the later of (a) the start of enforcement of the GDPR or (b) the date Processor begins to process Personal Data on behalf of Customer.

3. Data Processing Description. Exhibit A to this DPA describes the data exporter, data importer, data subjects, data categories, special data categories (if appropriate), the processing operations and the technical and organizational measures implemented by Processor to protect the Personal Data.

4. GDPR Contractual Terms. Pursuant to Articles 28, 32 and 33 of the GDPR:

1. Customer grants a general authorization: (i) to Processor to appoint its affiliates as sub-processors, and a specific authorization (ii) to Processor and its affiliates to appoint as sub-processors the companies and in respect of the sub-processing activities set out in Exhibit B attached hereto. [Article 28(2)]
2. Processor shall:
   1. process the Personal Data only on documented instructions from Customer unless required to do so by European Union or Member State law to which Customer is subject; in such a case, Customer shall inform Processor of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
   2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   3. take all applicable and appropriate measures required of processors pursuant to Article 32 of the GDPR.
   4. taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject's rights set forth in Chapter III of the GDPR.
   5. assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Processor.
   6. at the direction of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless European Union or Member State or United States law requires storage of the Personal Data; provided, however, that Processor may retain Personal Data for the length of any applicable statutes of limitations for the purposes of bringing or defending claims.
   7. make available to Customer all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer and immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other European Union or Member State data protection provisions. [Article 28(3)]
3. Where Processor engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract or other legal act under European Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. [Article 28(4)]
4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. [Article 32(1)]
5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. [Article 32(2)]
6. Customer and Processor shall take steps to ensure that any natural person acting under the authority of Customer or Processor who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by European Union or Member State law (or, in the case of Processor, United States law). [Article 32(4)]
7. Processor shall notify Customer without undue delay after becoming aware of a Personal Data breach. [Article 33(2)] Such notice will, at a minimum, (A) describe the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (B) communicate the name and contact details of the data protection officer or other contact where more information can be obtained; (C) describe the likely consequences of the personal data breach; and (D) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. [Article 33(3)]

5. International Transfers. Processor adheres to both EU-U.S. and U.S.-Swiss Privacy Shield compliance frameworks. [Article 46] Customer acknowledges and agrees that Processor is located in the United States and Customer’s provision of Personal Data to Processor for processing is a transfer of Personal Data to the United States.

6. Processing by Controller. Customer represents and warrants that the Personal Data provided to Processor for processing under the Agreement and this DPA is collected and/or validly obtained by Customer in compliance with all applicable EU Data Protection Laws, including without limitation Chapter II of the GDPR.

7. Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its exhibits.

8. Modification. To the extent that it is determined by any data protection authority that this DPA is insufficient to comply with the applicable EU Data Protection Laws, or to the extent required otherwise by any changes in the applicable data protection laws, Customer and Processor agree to cooperate in good faith to amend this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with any EU Data Protection Laws applicable to the Processor and Customer.

9. General. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the processing of Personal Data. This DPA does not confer any third-party beneficiary rights, is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person. This DPA only applies to the extent Processor processes Personal Data on behalf of Customer. Except as required under the GDPR, this DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without giving effect to applicable principles of conflicts of law to the extent that the application of the laws of another jurisdiction would be required thereby. In case of any dispute related to this DPA, the parties agree to submit to personal jurisdiction in the State of Delaware. Furthermore, the parties hereby irrevocably and unconditionally submit to the exclusive jurisdiction of any court of the State of Delaware or any federal court sitting in the State of Delaware for purposes of any suit, action or other proceeding arising out of this DPA. THE PARTIES HEREBY IRREVOCABLY WAIVE ANY AND ALL RIGHTS TO A TRIAL BY JURY IN ANY ACTION, SUIT OR OTHER PROCEEDING ARISING OUT OF OR RELATING TO THE TERMS, OBLIGATIONS AND/OR PERFORMANCE OF THIS DPA. This DPA together with the Agreement is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.

Data exporter

The data exporter is: Customer. Customer is a user of Services supplied by Processor.

Data importer

The data importer is: Processor, a provider of software and services.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify): Data subjects include the data exporter’s representatives and end-users including employees, contractors, business partners, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer Personal Data to users of the Services.

Categories of data

Information we collect on our customers (businesses): includes business name, physical address, web address, email address, phone number, business Hours, sales agreements, email templates, inventory, sales, purchase orders, employee contact information (name, email, phone), and application usage statistics.

Information we collect on our customers' customers: includes names, phone numbers, email addresses, physical addresses, event information, fit measurements, appointment history, style preferences, purchase history, and other data in an electronic form used by Processor in the context of the Services.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): None

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify): collect, store, retrieve, consult, use, erase or destruct, disclose by transmission, disseminate or otherwise make available data exporter’s data as necessary to provide the Services in accordance with the data exporter’s instructions, including related internal purposes (such as quality control, troubleshooting, product development, etc.).

Description of the technical and organizational security measures implemented by the data importer:

Processor maintains reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data transferred to Processor as described in Processor’s privacy policy which is available at https://app.bridallive.com/privacy.html.

Sub-processor name	Permitted sub-processing activities
Amazon Web Services	Cloud Hosting Services
MixPanel	Website analytics
Stripe	Payment card processing
Twilio	Electronic communications
Mailchimp	Electronic communications
Chargify	Invoicing
Google	Website analytics
Facebook	Website analytics
Fullsteam Operations	Payment card and ACH payment processing