Data Processing Addendum

1 Definitions and interpretation

The following definitions and rules of interpretation apply in this Addendum. 

Definitions:

• Business Purposes: The solution and any other services to be provided by Klevu to the Client under the Contract.
• Controller: has the meaning given to it in the Data Protection Laws.
• Data Subject: the identified or identifiable living individual to whom the Shopper Data relates.
• European Data Protection Laws:
  • (a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
  • (b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Client or Klevu is subject, which relates to the protection of personal data.
• EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
• EEA: the European Economic Area.
• Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
• Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
• Records: has the meaning given to it in clause 11.
• Standard Contractual Clauses (SCCs): the ICO’s International Data Transfer Addendum for the transfer of personal data from the UK and/or the ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU or such alternative clauses as may be approved by the European Commission or by the UK from time to time.
• Term: this Addendum’s term as defined in Clause 13.
• UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.1 This Addendum is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this Addendum.

1.2 The Appendices form part of this Addendum and will have effect as if set out in full in the body of this Addendum. Any reference to this Addendum includes the Appendices.

1.3 In the case of conflict or ambiguity between:

• 1.3.1 Any provision contained in the body of this Addendum and any provision contained in the Appendices, the provision in the body of this Addendum will prevail;
• 1.3.2 any of the provisions of this Addendum and the provisions of the Terms of Service, the provisions of this Addendum will prevail; and
• 1.3.3 any of the provisions of this Addendum and any executed SCC, the provisions of the executed SCC will prevail.

2 Personal data types and processing purposes

2.1 The Client and Klevu agree and acknowledge that for the purpose of the European Data Protection Laws the Client is the controller and Klevu is the processor with regard to the processing of Shopper Data.

2.2 The Client is responsible for its compliance obligations under the applicable Data Protection Laws and shall ensure that its collection and use of any Shopper Data accessed through the Solution complies with the Data Protection Laws, including but not limited to providing any required notices and obtaining any required consents and rights necessary under the applicable Data Protection Laws for Klevu to process Shopper Data on behalf of the Client.

2.3 Appendix 1 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Klevu may process the Shopper Data to fulfill the Business Purposes.

2.4 The Client warrants and represents that Klevu’s expected use of the Shopper Data for the Business Purposes and as may be specifically instructed by the Client in accordance with clause 3.1 will comply with the Data Protection Laws.

3 Klevu’s obligations

3.1 Klevu will only process the Shopper Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client’s documented instructions as set forth in this Addendum, unless otherwise agreed in writing. Klevu will notify the Client if, in its opinion, the Client’s instructions do not comply with the European Data Protection Laws, unless prohibited from doing so under European Data Protection Laws.

3.2 Klevu will maintain the confidentiality of the Shopper Data and will not disclose the Shopper Data to third parties unless the Client or this Addendum specifically authorises the disclosure, or as required by domestic law, court or regulator. If a domestic law, court or regulator requires Klevu to process or disclose the Shopper Data to a third party, Klevu will first inform the Client of such legal or regulatory requirement, unless the domestic law prohibits the giving of such notice.

3.3 Upon request, Klevu will provide reasonable information to assist the Client with meeting its compliance obligations under the Data Protection Laws, taking into account the nature of Klevu’s processing and the information available to Klevu, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the relevant regulator under the Data Protection Laws. 

3.4 Klevu will promptly notify the Client of any changes to the Data Protection Laws that may reasonably be interpreted as adversely affecting Klevu’s performance of the Terms of Service or this Addendum.

4 Klevu’s employees

4.1 Klevu will ensure that all of its employees who are authorised to process Shopper Data: 

• 4.1.1 are informed of the confidential nature of the Shopper Data and are bound by confidentiality obligations and use restrictions in respect of the Shopper Data; and 
• 4.1.2 have undertaken training on the Data Protection Laws relating to handling Personal Data and how it applies to their particular duties. 

5 Security

5.1 Klevu will implement and maintain appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification,  reproduction, display or distribution of the Shopper Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Shopper Data. Details of these measures are set out in Appendix 2.

5.2 The Client is responsible for reviewing the information made available by Klevu in Appendix 2 relating to its security measures and making an independent determination as to whether the Solution meets the Client’s requirements and legal obligations under the applicable Data Protection Laws. The Client acknowledges that Klevu’s security measures are subject to technical progress and development and may be updated from time to time, provided that such updates and modifications do not result in a degradation of the overall security of the Solution.

6 Personal Data Breach

6.1 Klevu will without undue delay, and where feasible within 48 hours, notify the Client if it becomes aware of:

• 6.1.1 the loss, unintended destruction or damage, corruption, or unusability of part or all of the Shopper Data.
• 6.1.2 any accidental, unauthorised or unlawful processing of the Shopper Data; or
• 6.1.3 any Personal Data Breach.

6.2 Where Klevu becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide the Client with the following information:

• 6.2.1 description of the nature of (a), (b) and/or (c), including the categories of in-scope Shopper Data and approximate number of both Data Subjects and the Shopper Data records concerned;
• 6.2.2 the likely consequences; and
• 6.2.3 a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

6.3 Following any accidental, unauthorised or unlawful Shopper Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Klevu will take reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Shopper Data processing.

6.4 Klevu will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Shopper Data and/or a Personal Data Breach without first obtaining the Client’s written consent, except when required to do so by domestic law.

7 Sub-processors

7.1 The Client agrees that Klevu may engage sub-processors to process Shopper Data. Those sub-processors engaged by Klevu and approved by the Client as at the commencement of this Addendum can be found at https://www.klevu.com/sub-processors/.

7.2 Where Klevu intends to add a new sub-processor it shall make details of such new sub-processor available on the Website at least 30 days (Sub-processor Notice Period) before transferring any Shopper Data to a new sub-processor. The Client shall notify Klevu during the Sub-processor Notice Period if it objects to the new sub-processor. If the Client does not object to the sub-processor during the Sub-processor Notice Period, the Client shall be deemed to have accepted the sub-processor. If the Client has raised a reasonable objection to the new sub-processor, and the parties have failed to agree on a solution within the Sub-Processor Notice Period, Subscriber may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by KLEVU without the use of the objected-to new Sub-processor by providing written notice to KLEVU. KLEVU will refund Subscriber any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Subscriber.

7.3 Klevu will:

• 7.3.1 enter into a written contract with each sub-processor that contains terms substantially the same as those set out in this Addendum, in particular, in relation to requiring appropriate technical and organisational data security measures (subject to the nature of the service provided by the sub-processor), and, subject to any confidentiality restrictions, upon the Client’s written request provide the Client with copies of the relevant excerpts from such contracts; and
• 7.3.2 remains fully liable to the Client for the performance or non-performance of the sub-processor’s obligations.

8 Cross-border transfers of personal data

8.1 Where a sub-processor is located outside of the EEA and its activities are not subject to the European Data Protection Laws, Klevu shall:

• 8.1.1 process the Shopper Data in a territory which is subject to adequacy regulations under the European Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals; or
• 8.1.2 participate in a valid cross-border transfer mechanism under the European Data Protection Laws, so that Klevu (and, where appropriate, the Client) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR. This may include the incorporation of Standard Contractual Clauses into the written agreement with the sub-processor.

9 Complaints, data subject requests and third-party rights

9.1 Klevu has in place a number of features in the Solution which enable the Client to access, rectify, erase, restrict and transmit the Shopper Data processed by Klevu. Klevu may use such features at no extra cost to enable the Client to comply with:

• 9.1.1 the rights of Data Subjects under the Data Protection Laws; and
• 9.1.2 information or assessment notices served on the Client by the relevant data protection authority under the European Data Protection Laws.

In addition, Klevu shall provide reasonable additional assistance to the Client (to the extent possible considering the nature of the processing) to enable the Client to comply with its obligations with respect to Data Subjects rights under the Data Protection Laws.

9.2 Klevu shall (considering the nature of the processing and information available to it) provide reasonably requested information regarding the Solution to enable the Client to carry out a data protection impact assessment to the extent required under the European Data Protection Laws.

9.3 Klevu shall promptly notify the Client in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Shopper Data or to either party’s compliance with the Data Protection Laws.

9.4 If Klevu receives a request from a Shopper for access to their Personal Data or to exercise any of their other rights under the Data Protection Laws, Klevu shall promptly notify the Client and provide a copy of the request unless prohibited from doing so under domestic law. Klevu shall not respond directly to a Shopper without the Client’s prior authorisation (unless legally required to do so).

10 Data return and destruction

10.1 On termination of the Terms of Service for any reason or expiry of its term, Klevu will retain the Shopper Data for a period of 90 days from the date of termination during which period the Client may request that such Shopper Data is returned and/or deleted. Following the expiry of this period and subject to clause 10.2 below, Klevu will retain and anonymise shopper search analytics data for analysing consumer patterns.

10.2 Klevu shall not be required to delete, destroy or return Shopper Data to the extent that any law, regulation, or government or regulatory body requires Klevu to retain any or all Shopper Data that Klevu would otherwise be required to return or destroy.  Klevu shall securely isolate such retained Shopper Data until such time as it is deleted in accordance with Klevu’s deletion policies, except to the extent required by applicable law.

11 Records

11.1 Klevu will keep written records regarding processing of the Shopper Data, including but not limited to, the access, control and security of the Shopper Data, approved subcontractors, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in clause 5.1 (Records).

11.2 Klevu will ensure that the Records are sufficient to enable the Client to verify Klevu’s compliance with its obligations under this Addendum and Klevu will, on a confidential basis, provide the Client with copies of the Records upon request.

12 Audit

Klevu will make available to the Client and its third-party representatives all information reasonably necessary to demonstrate compliance with this Addendum, including permitting the Client to audit Klevu, on at least 10 days’ notice during the Term, provided that the Client shall not exercise this right more than once per calendar year.

13 Term and termination

13.1 This Addendum will remain in full force and effect so long as:

• 13.1.1 the Terms of Service remains in effect (and all Shopper Data has been deleted or returned to the Client); or
• 13.1.2 Klevu retains any of the Shopper Data related to the Terms of Service in its possession or control (Term).

13.2 The parties agree that this Addendum shall replace any existing data processing agreement, or similar provisions or agreement, that the parties may have previously entered into in connection with the Solution.

Appendix 1 – Shopper Data processing purposes and details

Data Subjects

The Shoppers as defined in the Contract
The Client as defined in the Contract

Categories of data

The personal data processed concern the following categories of data:

1. First name, last name, contact number and address
2. Email addresses of the Data Subjects highlighted in the previous section (only when using the DotMailer integration)
3. For billing purposes: business name, billing address and VAT number, payer’s email address
4. Localization data
5. Shoppers’ IP addresses and transactional data  
6. Browser cookies

Processing operations

1. Client’s details:

First name, last name, contact number, company address, and website URL

• used for identifying a subscriber in our database and solely for the purpose of communication between Klevu and Klevu’s affiliates and the subscriber

Email address

• used as an account identifier
• used for billing and account related matters such as new features, announcements, plugin upgrades and other notifications to which the subscriber has subscribed

Business name, Billing address, and their VAT number

• used for billing and invoicing purposes

Payer’s email address and credit card details

• used for collecting payments but never stored in the database or logs

2. Shoppers’ IP addresses

• To identify Shoppers’ locations (i.e. country and local region) with a view to providing location based search insights to the Client
• To calculate transaction based KLEVU-led conversions
• To provide personalised search experience to the store’s Shoppers

3. Shoppers’ transaction data (optional)

• ID of the product bought, the price paid, the IP from which the product was bought.
  • This data is collected to calculate KLEVU-led conversions

4. Shoppers’ Email addresses

• Used only in conjunction with the DotMailer Email marketing tool (if the Client utilises the DotMailer integration). The collected email addresses are never exposed to anyone at Klevu as they are MD5 hashed, in the irreversible encrypted form.

5. Browser cookies

• Used for storing category names, filters, product IDs and recently searched terms. All but the product ID’s are often passed over to the backend system as API parameters to obtain personalised product recommendations (for Shoppers).

Retention Period

Klevu stores Shopper Data for the duration of the subscription. The data is either deleted or irreversibly anonymised within 90 days of the cessation date.

Appendix 2 – Klevu Data Security Measures

Klevu maintains an Information Security Management System (ISMS) that is designed and implemented to:

• Identify and suitability treat risks relating to information security
• Assist with protecting customer data against unlawful or accidental access, loss or disclosure
• Assist with securing Klevu infrastructure
• Create, maintain and implement Information Security related policies to create a secure working environment and processes.

Klevu has assigned a lead implementer to maintain and manage the ISMS with other employees assigned roles and responsibilities to support the ISMS. 

Klevu will maintain administrative, technical and physical safeguards designed to protect the security, confidentiality and integrity of personal data submitted to the subscribed services as described below.

Organisational Measures

• During induction all new employees undergo an Information Security induction and there is a continual training and awareness program in place which includes topics such as company policies, GDPR, OWASP and phishing
• All employee contracts include appropriate non disclosure and/or confidentiality clauses
• Onboarding and offboarding checklists are in place to grant and revoke access as employees join and leave the organisation
• A number of internal company policies to create and maintain a secure working environment including, but not limited to:
  • Acceptable Use Policy
  • Remote Working Policy
  • Data Handling Policy
  • Information Security Risk Management Policy
  • Supplier Management Policy
  • Information Security Incident Response
  • Disaster Recovery 

Technical Measures

• Only reputable data centre providers that hold a minimum of either SOC2 or ISO 27001 are used for hosting facilities.  This ensures a minimum standard of physical security and high availability is maintained which is managed by these providers.
• All data in transit is protected with TLS 1.2/1.3 encryption and HTTPS
• Deployment of firewalls, virtual private clouds (VPCs), network load balancers, content delivery network and intrusion prevention systems to protect the network
• Data replication across multiple regions to ensure availability
• The infrastructure has been designed to avoid single points of failures and data loss and to allow maintenance with minimal impact on the production systems
• Use of industry standard encryption technology
• Regular backups of customer data and server configuration which are stored in different regions to where the backup is taken from
• Multi Factor authentication  is required for infrastructure access with access to the production systems limited to a few selected member of staff
• Continuous real-time monitoring for all services and infrastructure  24x7x365 for real-time visibility with alerts triggered to multiple channels. 
• Production data is stored in a combination of dedicated and multi-tenant environments where store catalog data is separated from each other through the use of a unique API key per store catalog.

Secure Development

• Segregated development, testing and UAT environments for deploying software before production
• Static application security testing embedded within the pipelines used for code deployments
• All new code changes undergo multiple testing (functional, scale & stress) before being released to production and regression testing is also carried out
• Dedicated test data – customer data is never used for testing purposes
• Annual penetration testing of the application carried out by a third party