MSA Appendix
Cleverbridge Solution Specific Terms: Service Provider Payment Routing
Click here to download this document as a PDF.
These Solution Specific Terms apply to Client’s subscription for Cleverbridge’s payment routing services, and incorporate and become a part of the Master Subscription Agreement (MSA) found at grow.cleverbridge.com/MSA. Capitalized terms not defined within these Terms shall have the meaning set forth in the MSA or corresponding subscription schedule.
1. Base Services
1.1 Overview. Unless otherwise agreed, the Services described in this section are mandatory and any associated fees are set
forth in the Subscription Schedule.
1.2 Definitions. Cleverbridge’s Internet storefront used by Client to sell Products to Customers under this Agreement shall be
considered the “Online Store”. Any Client-supplied item that Client offers for sale using the Online Store shall be considered
a “Product”. An Order shall be either (a) a new purchase request from a Customer for a Product, or (b) the renewal of an
existing Order. Any entity or person placing an Order on the Online Store shall be considered a “Customer”.
1.3 Payment Routing. Client may procure payment routing services from Cleverbridge to enable a payment for an Order toa
Client-owned bank account using a third-party supplier selected by Cleverbridge to process an Order and charge it to a
Customer (such supplier being a “Payment Provider”). Upon Client’s request, Cleverbridge shall disable a payment method
offered by a Payment Provider or payment routing service.
1.4 Order Management. For Order processing, Provider shall exchange Customer data with third-party systems (e.g., for tax
calculation purposes) and store transaction data.
1.5 PCI-DSS Compliance. Cleverbridge is certified as compliant with the Payment Card Industry Data Security Standards (PCI
DSS) and processes Orders in a PCI-DSS compliant manner.
1.6 Chargeback Notifications. Cleverbridge shall notify Client about Chargeback alerts if received from the respective Payment
Provider.
1.7 Revenue Reporting. Client has access to standard Online Store revenue reports.
1.8 Access to Interfaces. Client shall have access to Cleverbridge’s API and webhook notifications (hereinafter “Interfaces”) for
the purpose of using the Services. Client may use the Interfaces solely as provided and documented by Cleverbridge. Client
acknowledges that the Interfaces are subject to regular updates. Cleverbridge shall notify Client of any material Interface
changes or deprecations.
1.9 Customer Experience Funnels. Cleverbridge’s solution includes localized websites for specific business use cases, including
checkout funnels, signup funnels, A/B testing, and Customer profiles enabling Customers to store Payment Methods. Any
non-standard customizations occurring after the signing of this Agreement are subject to additional fees to be mutually
agreed.
1.10 Service Availability. Time-periods during which Cleverbridge is technically unable to deliver an Online Store webpage to a
Customer to place an Order shall be considered “Downtime”. Downtime commences when Cleverbridge detects an incident
or when Cleverbridge receives notice from Client of an incident, whichever is earlier. Downtime ends when Customer’s ability
to place an Order is restored or a reasonable workaround has been implemented. Planned maintenance, events outside of
Cleverbridge’s (and its subcontractors) reasonable control as well as Force Majeure events shall not be considered
Downtime. Cleverbridge shall calculate the uptime of the Online Store as follows: ((hours of operation – Downtime) ÷ hours of
operation), all in minutes per calendar month (“Uptime”).
1.11 Service Credits. For each month during which the Uptime is below 99,90% on a rolling three-month basis, Client may claim
from Cleverbridge a payment in the amount of 5% of the net Order-related Fees received by Cleverbridge within the last
month under this Subscription Schedule during which Cleverbridge adhered to the above-mentioned service level (the
“Service Credit”). Cleverbridge shall not be obliged to pay any Service Credit that Client claims more than six months after it
became due. The Service Credits defined in this section shall constitute Client’s full and final settlement for any Online Store
performance degradation.
1.12 Service Suspension. If (a) a third party announces legal measures or other proceedings against Cleverbridge, or (b) Client breaches this Agreement or its agreement with Customer, or (c) Cleverbridge reasonably determines that the provision of the
Services bears any legal or commercial risk, Cleverbridge is permitted, in its sole discretion, to suspend the Services
(including subscription renewals) in full or in part at any given time without incurring any liability to Client.
1.13 Embargoed Countries and Sanctions Screening. Cleverbridge screens each transaction under this Agreement against
various sanctions and denied parties list. Cleverbridge is unable to process any transaction with an embargoed country.
Client agrees to provide Cleverbridge with the information Cleverbridge needs to perform such screenings.
2. Optional Services
2.1 Overview. The Services described in this section are optional and payable by Client at the agreed rates as set forth in the
Subscription Schedule, or as later agreed by the Parties at the time of procuring the Optional Services. Optional Services are
subject to mutually agreed additional fees.
2.2 Fraud Monitoring. Before processing an Order, Cleverbridge uses its fraud detection solution to determine the fraud risk.
Client acknowledges that not all payment methods are subject to fraud monitoring and that the determination of a potential
fraud is based on automatic processes driven by algorithms and block lists per payment type. Client acknowledges that
Cleverbridge’s solution cannot prevent all fraudulent Orders from being executed. Cleverbridge shall be entitled to deny any
Order that it reasonably deems fraudulent.
2.3 Tax Calculation. Cleverbridge may use Client’s tax calculation provider account for any required sales-tax related calculation
purposes.
2.4 Product Price Conversion. If the Product retail price is not defined in the currency used to place an Order (the “Order
Currency”), Cleverbridge shall convert the Product Price from US-Dollars if Client is contracting with Cleverbridge Inc. or Euro
in all other cases (the “Product Base Currency”) to the Order Currency using, at its discretion, use either (a) the lowest bid
rate published (by a publicly available market data Cleverbridge), either on the day before the Order date or on the last day of
the clearing period, or (b) the average rate published (by a publicly available market data Cleverbridge) during the timespan
between the Order date and the last day of the clearing period (the “FX-Rate”).
2.5 Storefront Design Services. Client may procure from Cleverbridge design and development services that Cleverbridge
requires to operate the Online Store as requested by Client.
2.6 Customer Tracking Consent. Client may procure from Cleverbridge integration of Client's tracking consent service, subject
to Cleverbridge’s approval.
2.7 Customer Communication Automation. Cleverbridge offers to automate Client’s email communication with Customers
for Order-related events (such as an upcoming Order renewal). As part of this service, Cleverbridge shall send up to three
payment reminders to any Customers by email who did not pay their Order. Cleverbridge shall not provide any dunning or
other regulated services.
2.8 Cleverbridge Integrations. At Client’s option, Client may connect its account to certain platforms and applications using
Cleverbridge's integrations. These platforms may take certain actions on Client’s behalf and access data available through
Client's account, including Customer data. Client therefore authorizes Cleverbridge to share data with any platform or
application that is configured in Client's Cleverbridge account (e.g., through a control panel or APIs). Client may withdraw its
authorization by removing the platform or application from Client's account. Client waives the right to bring any claims
against Cleverbridge for losses Client incurs due to any actions or use of data by any platform or application connected to
Client's account. Client will fully reimburse Cleverbridge for any loss Cleverbridge incurs that result from Client's actions or
use of such data by any platform or application.
2.9 Subscription Management. Cleverbridge offers recurring billing support for subscription Products.
2.10 Global Invoice Generation. Cleverbridge offers to generate Client-branded invoices and pro-forma invoices for global
Customers in PDF format. Client shall provide all information requested by Cleverbridge for global invoice compliance.
2.11 U.S. Tax Exemption Document Handling. Cleverbridge offers a process that allows United States Customers to submit their
VAT exemption certificate to the Online Store for review by Client. Client can accept or reject the certificate. Cleverbridge
shall consider any VAT exemption accepted by Client when processing an Order.
2.12 EU Reverse Charge Procedure. Cleverbridge offers a validation service of Customer EU VAT numbers through either the
German or the European Union database. Cleverbridge shall utilize only an EU VAT identification number contained in either
database when processing an Order. If the relevant database is unavailable, Cleverbridge has the right to suspend Order
processing at its sole discretion. Valid EU VAT numbers shall be processed using the reverse charge principle (without VAT
calculated on the invoice issued by Cleverbridge).
2.13 Chargeback Dispute Management. In case of an attempted or completed Order payment reversal for any payment method
(including credit card and direct debit payments) that a Customer requested directly from his bank (a “Chargeback”),
Cleverbridge shall attempt to resolve such Chargeback by providing the documentation required and further engaging in its
resolution process with supported Payment Processors.
2.14 Chargeback Mitigation Service. Cleverbridge shall provide a service to process actual or potential Chargebacks in a
manner that does not count against Client’s Chargeback rate with the respective Payment Processor. Cleverbridge does not
warrant that it can prevent all Chargebacks.
2.15 Data Export. Upon Client’s request, Cleverbridge shall export to Client (and/or to Client’s PCI-DSS certified replacement
Cleverbridge) all Customer payment data, that it legally can provide in compliance with global privacy laws, PCI-DSS
requirements, and other applicable law or regulations. Client must provide Cleverbridge ninety calendar days notice to
complete such export.
2.16 Consulting Services. For work that is outside of the scope of this Agreement, Cleverbridge offers various Consulting
Services, subject to hourly fees.
3. Excluded Services
3.1 No Product Fulfillment. Client shall be solely responsible for, and Cleverbridge shall not engage in, any delivery or fulfillment
of Products to Customers.
3.2 No Legal, Tax, or Customs Advice. Client acknowledges and agrees that Cleverbridge does not provide legal, tax, or
customs advice or calculations. Client is solely responsible for its own legal, compliance, and tax policies, including any
contract negotiations with Customers regarding an Order.
4. Client Cooperation Obligations
4.1 Setup Services. Client shall cooperate with Cleverbridge to integrate the mandatory and optional Client platform integrations
stipulated in Sections 1 and 2, including, but not limited to, granting to Cleverbridge: (a) continuous access to all required
integrations with third parties, including providing all required credentials, and (b) all approvals necessary for Cleverbridge to
engage with such third parties. Cleverbridge disclaims all liability for any failures due to Client’s platform or third-party
integrations.
4.2 Service Contributions. Client shall use its best commercial efforts to contribute to the Services as required by Cleverbridge,
including, but not limited to, providing reasonably requested information for the purpose of Cleverbridge or Client complying
with any law or regulation.
4.3 Intellectual Property Rights License. Client shall provide to Cleverbridge a royalty-free license to all its present and future
worldwide copyrights, trademarks, trade secrets, patents, patent rights, moral rights, and other proprietary rights of any
nature, to the extent required to provide the Services. Cleverbridge may sublicense this right to members of the Cleverbridge
group of companies.
4.4 No Charges to Cleverbridge. Client shall fulfill, provide, and manage all Client Cooperation Obligations to Cleverbridge free
of charge. Cleverbridge shall not be responsible for any delays or damages resulting from Client’s failure to fulfill its Client
cooperation obligations or from any unavailability of Client’s platform integrations.
4.5 Information Obligation. Client shall regularly notify Cleverbridge of any changes in Products that may impact Cleverbridge’s
provision of the Services. Client must also notify Cleverbridge of any geographic trade restrictions or license requirements it
may be or become subject to.
4.6 Press Release. Client agrees to issue a joint press release with Cleverbridge no later than fourteen days after the Effective
Date, announcing the appointment of Cleverbridge as Client’s eCommerce Services Cleverbridge. Client agrees to be a
reference client of Cleverbridge and that Cleverbridge may disclose in its advertising, promotion, and similar public
disclosures that Client is Cleverbridge’s client.
5. Refunds
5.1 Cleverbridge-induced Refunds. Cleverbridge shall be entitled, in its sole discretion, to cancel an Order and grant Customers
an Order reversal that is no Chargeback (a “Refund”) if (a) Cleverbridge determines that an Order is fraudulent or likely to
cause a Chargeback, or (b) if required by applicable law.
5.2 Refund Policy. Client shall communicate its Order Refund policy to Cleverbridge.
5.3 No Fee Refund. For the avoidance of doubt, Client shall not receive a Fee credit for any Refund.
5.4 Limitation of Duties. Except as expressly agreed, Cleverbridge shall not be obligated to process returns, warranty claims,
Refund claims, or other claims for Client.
6. Warranties
6.1 Proper Business Conduct. Client warrants that he will refrain from using illegal, false, deceptive, or otherwise misleading
business practices when (directly or indirectly, including through marketing affiliates) promoting Products.
6.2 Customer Tracking. Client warrants that it shall not invoke any marketing tracking or analytics tool by using the Online Store
that has not been authorized by Cleverbridge. Client also warrants that it will not use any Customer Information received
from Cleverbridge in breach of any applicable data privacy laws.
6.3 Sanction Screening. Client warrants that unless Cleverbridge performs sanction screening as stated in this Agreement,
Client diligently performs all necessary denied party screening activities as required by all applicable laws and regulations
and that it will deny the fulfillment of any Order from a sanctioned person or entity.
7. Data Protection
7.1 Data Processing Agreement. Cleverbridge’s provision of the Services is contingent upon the Parties acceptance of and
adherence to the attached Data Processing Addendum. The indemnification obligation under section 6 of the Agreement also
applies to Client’s breaches of the Data Processing Addendum.
8. Product Terms for SEPA Direct Debit
8.1 Processing. Cleverbridge shall support Client in creating and maintaining a SEPA Direct Debit Transaction mandate to be
used in a Customer invoice and in the Online Store (containing the creditor ID, the mandate reference ID, and the direct debit
date when the Customer will be debited). Client is aware that during this process, the creditor ID of another Cleverbridge’s
entity (Cleverbridge Financial Services GmbH, hereinafter “PSP”) will be used and communicated to the Customer with the
pre-notification. In case of a recurring Transaction under an existing SEPA Direct Debit mandate, Client shall refrain from
disabling Cleverbridge’s pre-notification functionality in the Online Store.
8.2 Termination of PSP Agreement. Cleverbridge shall stop processing any SEPA Direct Debit Transactions upon termination for
any reason of the agreement between Client and PSP.
9. Product Terms for Full Liability Submitter (Payment Routing in US-only)
9.1 Overview. The terms in this section apply only if Client utilizes Cleverbridge’s Full Liability Submitter (“FLS”) model.
9.2 Geographic Restrictions. FLS is available for use only in conjunction with payment processing services offered in the United
States by Paymentech, Inc. with the help of Cleverbridge, Inc.
9.3 Agreement with Payment Provider. To utilize FLS, Client must execute a separate agreement with the Payment Provider
required by Cleverbridge.
9.4 Chargeback Notifications. Client shall pay to Cleverbridge the agreed Fee for Chargeback alerts.
9.5 Establishment of Rolling Reserve. The Parties agree that Client will fund a security deposit managed by Cleverbridge to
cover for charges (including Chargeback fees, interchange fees, service provider or “scheme” fees, fines, payment fees, and
penalties, whether disputable or not) from any Payment Provider to Cleverbridge under this Subscription Schedule (the
“Rolling Reserve”). Upon execution of the Agreement, Client shall (a) provide the agreed amount for the Rolling Reserve, if
applicable and (b) during the first year (and unless otherwise agreed), Client shall fund the Rolling Reserve with 3,5% of the
transaction volume (including VAT) of all Orders. Alternatively, Client shall be entitled to fund the Rolling Reserve by
furnishing a first-demand bank guarantee.
9.6 Adjustment of Rolling Reserve. Upon expiration of the first year of the Term of this Agreement, Cleverbridge shall
recalculate the Rolling Reserve at the end of each calendar quarter at its discretion based on the actual risk of the Service to
Cleverbridge so that the rolling reserve amounts covers this risk as assessed by Cleverbridge. The minimum rolling reserve
shall be the equivalent of €50,000, and the maximum shall be 1% of the aggregated gross revenue during the preceding
twelve months plus the Reserve Security Deposit. If the bank guarantee deviates by more than 15% from the required rolling
reserve, Client will change the amount of such bank guarantee to reflect the agreed amount.
9.7 Currency Conversion. For all Customer payments processed in a currency other than the Product Base Currency,
Cleverbridge shall convert the Customer payment currency to the Product Base Currency using the FX-Rate. Cleverbridge
shall charge the currency conversion fee agreed in the relevant Subscription Schedule.
9.8 Additional Indemnification. In addition to Client’s indemnification obligations elsewhere in the Agreement, Client further
agrees to indemnify Cleverbridge for all fines, fees, penalties, liabilities, charges, and other amounts which may be imposed
or assessed by the card networks or other payment scheme on Cleverbridge as a result of Client’s actions, omissions,
including, but not limited to, its engagement in prohibited business activities, merchant categories, or transaction types;
payments by or to Customers; Chargebacks; Client’s failure to comply with the Card Network Rules, Payment Provider Rules,
this Agreement, or any agreed security standards.
9.9 Federal Income Tax Reporting. Client authorizes Cleverbridge to share with Payment Provider certain required taxpayer
information in connection with Customer transactions processed under this Agreement. Cleverbridge shall provide only that
information which Payment Provider represents is necessary to fulfill Payment Provider’s reporting obligations imposed by
the United States Internal Revenue Service. Client agrees to provide Cleverbridge with its Form W-9 or Form W-8 BEN-E and to
cooperate with Cleverbridge’s reasonable requests in connection with collecting the information referenced in this section.
9.10 Right of Termination or Suspension. Cleverbridge has the right to immediately terminate the Agreement for cause if
Cleverbridge, in its sole discretion, deems Client’s Chargeback Rate excessive. Cleverbridge further has the right to suspend
Client’s right to transact if, in Cleverbridge’s sole discretion, Client engages in fraudulent, unusual, or otherwise prohibited
transactions; Client is no longer in good standing; or Cleverbridge’s continued association with Client would damage
Cleverbridge’s reputation.
Ex. 1
Data Processing Addendum
This Data Processing Addendum (“DPA”) is entered by Client (hereinafter referred to as “Controller”) and Cleverbridge (hereinafter referred to as “Processor”) and it covers all data processing activities by Processor for Controller under the Master Subscription Agreement (“MSA” or “Agreement”).
1. Processing of Customer Data
1.1 Role of the Parties. The Parties agree that Client is the Controller and Cleverbridge is the Processor with respect to all
Customer Data Processed in connection with the Services provided under the Agreement. Cleverbridge is acting as Processor
on Client’s behalf.
1.2 Processor Obligations. Processor will process Customer Data only in accordance with (a) this DPA, (b) Controller’s
documented instructions, or (c) applicable Data Protection Legislation. Processor will not modify or alter the Customer Data
and will respect the confidentiality of the Customer Data in its role as Processor. Processor will ensure that any Sub
Processor is bound to the same confidentiality and data handling obligations as Processor under this DPA. Processor will not
disclose Customer Data to or permit access to unauthorized third parties.
1.3 Controller Obligations. Controller warrants that it has the required Customer consent to instruct Processor to process
Customer Data. Controller warrants that any Processing instructions provided to Cleverbridge comply with all applicable Data
Protection Legislation, and that Cleverbridge’s Processing of Customer Data in accordance with Controller’s instructions will
not cause Cleverbridge to be in breach of this DPA or the GDPR.
1.4 Processing Description. The purpose of the processing is to provide Controller with payment routing, an ecommerce
platform, and various ecommerce services to support Controller’s sale of its Products to Customers. The nature of the
processing is to perform payment routing whereby Processor passes payment data from Customer to the clearing and
settlement system of a Payment Service Provider so that Customer’s purchase of Client’s Product may be completed.
Furthermore, the purpose of the processing is to provide payment processing services necessary to complete a transaction
whereby Customer purchases a Controller Product. The nature of the processing is to manage Customer transactions, which
includes but is not limited to payment matching, reporting, and reconciling for payment methods used, consolidated payouts
and settlements, as well as payment routing.
1.5 Type of Personal Data. Processor shall process the following types of personal Information from visitors to Processor’s Online
Store or Customers: (a) name, (b) email address, (c) postal code, (d) postal address, (e) payment method including credit card
information, (f) IP address, (g) website tracking information, (h) Internet service Cleverbridge information, (i) device
information (including device ID and site-visit behavior), (j) Order number, (k) browser information (type, language, version,
screen size, etc.). Processor will not solicit Sensitive Data from visitors or Customers and will not knowingly process such
Sensitive Data.
1.6 Sub-Processors. Processor may engage Sub-Processors as is necessary to perform the Agreement. Controller agrees that
(a) Processor’s Affiliates may be retained as Sub-Processors; and (b) Processor and/or its Affiliates may engage third-party
Sub-Processors in connection with the provision of the Agreement.
1.7 Sub-Processor Obligations. Processor warrants that for any Sub-Processor it engages, it will enter into a written agreement
with the Sub-Processor containing data protection obligations like and no less protective than those contained in this DPA. If
a Sub-Processor fails to comply with its data protection obligations under such written agreement, Processor will remain
liable to Controller for the Sub-Processor’s performance. A current list of Sub-Processors can be found at
www.Cleverbridge.com/Sub-Processors.
1.8 Requests from Data Subjects. Processor will inform Controller of any formal requests by Data Subjects exercising their
rights under applicable Data Protection Legislation and will not respond to such requests unless instructed otherwise in
writing by Controller.
1.9 Breach Notification. Should Processor become aware of a Personal Data Breach affecting Customer Data, Processor shall
notify Controller without undue delay, and it shall take reasonable steps to provide Controller with information to allow
Controller to comply with any obligations to inform Data Subjects under applicable Data Protection Legislation.
1.10 Data Retention. Processor is required to comply with global regulations, some of which require Processor to retain
Customer Data for as long as is necessary to perform the Agreement. In general, Processor deletes Customer Data as soon
as it is no longer required under statutory retention periods or other applicable law, as set forth in its own Privacy Policy here:
https://grow.Cleverbridge.com/privacy-policy. Processor shall, however, follow Controller’s data retention policy, which
Controller shall make available to Processor. In the event Controller does not provide Processor with such policy, Processor
shall use its own, as set forth above.
1.11 Data Deletion. As soon as is reasonably practicable upon termination of this DPA, Processor will return or destroy any files
containing Customer Data unless prevented from doing so by applicable law or for a justifiable business purpose.
2. Technical and Organizational Measures
2.1 PCI-DSS Measures. Processor shall (a) encrypt storage and procure masked display of credit card information, (b) maintain
individual administrator-IDs for data processing systems and enforcement of secure passwords, (c) minimize storage of credit
card information to a minimum, (d) maintain lists of data processing machine inventory as well as implementation of PCI
recommended measures to prevent their tampering, credit card storage systems, public network transmission of Personal
Data to and from Payment Providers, (e) perform data backups in accordance with PCI-DSS recommendations.
2.2 Physical Security. Processor shall (a) operate databases containing payment information in secure and datacenters, (b)
procure that its production servers are air-conditioned, protected against fires and have a backup power (c) restrict access to
server-rooms to authorized personnel only, (d) require visitors in a Processor building to be always escorted, (e) operate
CCTV and/or post a security guard in selected buildings, (f) prepare emergency response procedures in case a building
experiences an emergency.
2.3 Security Incident Prevention and Response. Processor shall (a) maintain an Incident Response Plan and a risk management
process, (b) conduct regular vulnerability scans and penetration tests; (c) deploy and regularly update intrusion detection or
prevention systems on all systems and workstations, (d) specify criteria for secure development of in-house applications,
including a dual control principle security risk review, (e) report all security incidents through appropriate management and
security incident reporting channels as quickly as possible, (f) make all employees and contractors aware of the procedures
for reporting the security incidents.
2.4 User Access Management. Cleverbridge shall implement (a) restrictions to roles and access rights, using a need-to-know
principle, (b) logging and protocol evaluation systems, (c) strong cryptography and security protocols, (d) certified processes
and procedures to prevent disclosure or misuse of cryptographic keys, (e) access controls, alarm systems, and/or server
rooms, and/or data centers, (f) demilitarized zones and/or firewalls to protect the internal company network against web
based attacks, (g) separate production environment from development and test environments, (h) audit trails of individual
use of systems, (i) systems to detect unauthorized changes to critical systems, configurations, and/or content files, (k)
secure connections and mutual certificate authentication requirements to access all client-facing environments, (l)
restrictions on media dissemination based on risk classification.
2.5 Record of Processing Activities. Processor shall maintain a record of all categories of processing activities carried out for Controller’s to the extent required to enable Controller to comply with its obligations under applicable Data Protection
Legislation and require any sub-processors to do the same.
2.6 Management of Personnel and Third Parties. Processor shall (a) take reasonable steps to ensure any person authorized to
process personal data shall maintain confidentiality, (b) maintain policies and procedures to determine whether personnel
and third parties engaged by Processor are suitable for their roles, (c) provide appropriate security training and information,
such as its security awareness program, which provides training and awareness on corporate security policies and
compliance with PCI-DSS.
2.7 Business Continuity. Processor shall maintain business continuity and disaster recovery plans designed to maintain
Processor’s delivery of the Services with minimal interruption. Each plan will detail measures to support the restoration of full
operations as soon as possible after an emergency. The plans will address the need for failover capability and provision of an
alternate recovery site based upon the criticality of the business functions, with input from the business owners. Plans will
be periodically tested to make Processor’s most critical business applications readily available in the event of a declared
disaster. Backups will be stored offsite from the primary data source to support the recoverability of data importer systems in
the event of a disaster.
3. Miscellaneous
3.1 Audit. Upon reasonable, written request (and no more than once per year), Processor will make available to Controller or
third-party auditor, any information that is reasonably necessary to demonstrate compliance with this DPA.
3.2 Term and Termination. This DPA terminates in accordance with the Termination clause in the Agreement.
3.3 Liability and Indemnification. Subject to GDPR, CCPA, and any other applicable law, the total liability of Processor toward
Controller whether in contract, tort or under any other theory of liability, is subject to the applicable Limitation of Liability
clause in the Agreement. Controller agrees to indemnify and hold harmless Processor against all claims, actions, third party
claims, losses, damages, and expenses incurred by Processor arising directly or indirectly out of or in connection with a
breach by Controller of this DPA.
3.4 Governing Law. The Parties agree that the Governing Law provision in the Agreement shall apply to this DPA as well.
3.5 Conflicting Provisions. If a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA
shall prevail.
3.6 Updates to Data Privacy Regulations. In the event of change to the GDPR, CCPA, or other applicable Data Protection
Legislation, the Parties will promptly review this DPA and proceed with good faith negotiations to agree on any changes
necessary to comply with the law.
4. Definitions
4.1 “Customer” means an entity or person buying a Product on the Cleverbridge Online Store.
4.2 “Customer Data” means all Personal Data collected in connection with the provision of Services.
4.3 “Data Protection Legislation” means all laws, regulations, and governmental requirements applicable to the processing of
Customer Data or any replacement legislation, as applicable, including, but not limited to, the General Data Protection
Regulation 2016/679 (“GDPR”) and California Consumer Privacy Act (“CCPA”).
4.4 “Sensitive Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs,
trade-union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.
4.5 “Sub-Processor” means any entity or person appointed by Processor to process Customer Data for Processor at the
direction of Controller.
4.6 “Data Subject”, “Processing”, “Personal Data”, and “Personal Data Breach” have the meanings given under GDPR.
Last updated November 1, 2023