Updated July 31, 2024

Data Processing Agreement

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by APIWORX on behalf of the Customer in connection with the Services.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable data protection legislation.
• "Sub-processor" means any third party appointed by APIWORX to process Personal Data on behalf of the Customer.

2. Scope and Purpose of Processing

2.1 APIWORX processes Personal Data solely for the purpose of providing the Services as described in the main Agreement and in accordance with the Customer's documented instructions.

2.2 The types of Personal Data processed may include: contact information (names, email addresses, phone numbers), business transaction data, order and fulfillment records, and any other data transmitted through the APIWORX platform by the Customer.

2.3 The categories of data subjects may include: the Customer's employees, customers, suppliers, and business partners whose data is processed through the Services.

3. Obligations of the Processor

APIWORX shall:

• Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Customer.
• Assist the Customer in ensuring compliance with data subject rights requests under applicable Data Protection Laws.
• Delete or return all Personal Data to the Customer after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer.

4. Security Measures

4.1 APIWORX implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

• Encryption of Personal Data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Employee security awareness training
• Incident response and disaster recovery procedures
• Network security monitoring and intrusion detection

4.2 APIWORX regularly tests, assesses, and evaluates the effectiveness of these measures to ensure the security of processing.

5. Sub-processors

5.1 The Customer provides general authorization for APIWORX to engage sub-processors for the processing of Personal Data. APIWORX shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object to such changes.

5.2 Where APIWORX engages a sub-processor, APIWORX shall impose the same data protection obligations as set out in this DPA on that sub-processor by way of a contract.

5.3 APIWORX remains fully liable to the Customer for the performance of the sub-processor's obligations.

6. Data Breach Notification

6.1 APIWORX shall notify the Customer without undue delay after becoming aware of a Personal Data breach.

6.2 Such notification shall include: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

7. International Data Transfers

7.1 APIWORX shall not transfer Personal Data to a country outside the jurisdiction of the Customer without appropriate safeguards being in place, such as Standard Contractual Clauses or other legally recognized transfer mechanisms.

7.2 Where transfers are necessary for the provision of the Services, APIWORX shall ensure that appropriate safeguards are implemented in accordance with applicable Data Protection Laws.

8. Data Subject Rights

8.1 APIWORX shall assist the Customer in responding to requests from data subjects exercising their rights under applicable Data Protection Laws, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.

8.2 APIWORX shall promptly notify the Customer if it receives a request from a data subject directly and shall not respond to such request without the Customer's prior written authorization.

9. Term and Termination

9.1 This DPA shall remain in effect for as long as APIWORX processes Personal Data on behalf of the Customer.

9.2 Upon termination of the Agreement or at the Customer's request, APIWORX shall, at the Customer's choice, delete or return all Personal Data and delete existing copies within 30 days, unless applicable law requires continued storage.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the main Agreement between the parties, unless otherwise required by applicable Data Protection Laws.

Contact Information

For questions regarding this Data Processing Agreement or data protection practices, please contact us at:

• Email: privacy@apiworx.com
• Address: APIWORX LLC, United States