Data Processing Addendum

 

This Data Processing Addendum (“Addendum”) amends the Circeus Terms and Conditions and Privacy Policy (“Agreement”) by and between Circeus, One Kingdom Street, Paddington Central, London - W2 6BD, United Kingdom (“Circeus”) and the customer entity that is the party to the Agreement (“Customer”). 


  1. DEFINITIONS


1.1. Agreement means Circeus Terms and Conditions and Privacy Policy, or other written or electronic agreement, which govern the provision of the service to Customer.


1.2. Customer Data means any personal data that Circeus processes on behalf of Customer.


1.3. Data Protection Laws means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of processing Personal Data in question under the Agreement, including without limitation, the CCPA and the data protection and privacy laws of Canada, Australia and Brazil.

1.4 (a) European Data Protection Laws means all data protection laws and regulations applicable to Europe including General Data Protection Regulation (GDPR).

1.4 (b) CCPA/CPRA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq, and its implementing regulations, as may be amended from time to time, including the California Privacy Rights Act.

1.5. Europe means, for the purpose of this document, the European Economic Area (EEA) and its member states, Switzerland and the United Kingdom.

1.6. The terms “personal data”“controller”“data subject”“processor” and “processing” shall have the meaning given to them under applicable Data Protection Laws. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider.

1.7. (a) Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, the FADP, the CCPA/CPRA, the Virginia Consumer Data Privacy Act, and the Colorado Privacy Act, as known or reasonably expected by Yotpo to be applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.

1.7 (b) Sensitive Data means any information that falls within the definition of “special categories of data” under applicable Data Protection Laws, including social security number, genetic, biometric or health information, racial, ethnic, political or religious affiliation, criminal record. 

1.8. Sub-processor means any processor engaged by Circeus or its affiliates to assist in fulfilling its obligations with respect to providing the service pursuant to the Agreement or this Ammendum.

1.9. Security Incident means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Circeus.



  1. ROLES AND RESPONSIBILITIES


2.1. If European Data Protection Laws apply to either party’s processing of Customer Data, the parties acknowledge and agree that with regard to the processing of Customer Data, Circeus is a processor acting on behalf of Customer (whether itself a controller or a processor). This addendum will not apply to instances where Circeus is the controller.


2.2. Circeus will process Customer Data as further described in Annex A of this Ammendum. Customer will not provide any Sensitive Data to Circeus for processing under this Ammendum, and Circeus will have no liability whatsoever for Sensitive Data in any case. 


2.3. Customer will ensure that Circeus's processing of the Customer Data in accordance with Customer’s instructions will not cause Circeus to violate any applicable law, regulation, or rule, including, Data Protection Laws. Where Customer acts as a processor on behalf of a third-party controller, Customer warrants that its processing instructions, including its authorizations to Circeus for the appointment of Sub-processors in accordance with this Ammendum, have been authorized by the relevant controller. Customer shall serve as the sole point of contact for Circeus and Circeus will not interact directly with any third-party controller.


  1. SUB-PROCESSING


3.1. Customer agrees that Circeus may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Circeus and authorized by Customer are Shopify Inc, Canada and its affiliates;


3.2. Circeus will enter into a written agreement with each Sub-processor containing data protection obligations, to the extent practicable, no less protective than those in this Addendum or as may otherwise be required by applicable Data Protection Laws and regulations. Circeus agrees to be responsible for the acts or omissions of each such Sub-processor to the same extent as Circeus would be liable if performing the services of such Sub-processor under the terms of the Addendum.


3.3. Circeus will inform Customer of any new Sub-processor engaged during the term of the Agreement by updating the Sub-processor list (stated in 3.1.). If Customer reasonably believes that the appointment of a new Sub-processor will have a material adverse effect on Circeus's ability to comply with applicable Data Protection Laws and regulations, then Customer must notify Circeus in writing, within 30 days following the update to the Sub-processor list.


3.4. Customer acknowledges and agrees that, where applicable, Circeus may be prevented from disclosing Sub-processor agreements to Customer due to confidentiality restrictions but Circeus shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with Sub-processor agreements.


  1. SECURITY


4.1. Circeus shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Data from Security Incidents and designed to preserve the security and confidentiality of Customer Data.


4.2. Circeus shall ensure that any person who is authorized by Circeus to process Customer Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).


4.3. Circeus agrees to implement appropriate technical and organizational measures designed to protect Customer Data. Those measures include physical security, regular backups, etc.


4.4. Upon becoming aware of a Security Incident, Circeus shall: a) notify Customer without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident; b) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; c) promptly take reasonable steps to contain and investigate any Security Incident. Circeus's notification of or response to a Security Incident shall not be construed as an acknowledgment by Circeus of any fault or liability with respect to the Security Incident.


4.5. Customer is responsible for its secure use of the Service, including, if applicable, securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.


  1. SECURITY REPORTS 


5.1. Circeus shall make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum.


  1. INTERNATIONAL TRANSFERS


6.1. Customer acknowledges that Circeus may transfer and process Customer Data anywhere in the world where Circeus, its affiliates or its Sub-processors maintain data processing operations. Circeus shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this Ammendum.


  1. DELETION OF DATA


7.1. Upon termination or expiration of the Agreement, Circeus shall delete or return to Customer all Customer Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Circeus is required by applicable law to retain some or all of the Customer Data.


7.2. When Customer requests deletion of Customer Data by Companies operated under Circeus collects to Shopify and Shopify notify Circeus via webhooks (the process is described on https://shopify.dev/apps/webhooks/ 
configuration/mandatory-webhooks), Circeus shall promptly confirm their receipt of the request and complete the action within 30 days of receipt (unless Circeus is legally required the retain the data). We have implemented the following webhooks: Data Requests, Customer Data Redaction and Shop Data Redaction. 


  1. DATA SUBJECT RIGHTS AND COOPERATION


8.1. Circeus shall, considering the nature of the processing, provide reasonable assistance to Customer to the extent possible to enable Customer (or its third-party controller) to comply with its data protection obligations with respect to data subject rights under Data Protection Laws. In the event that any such request is made to Circeus directly, Circeus shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact Customer) or legally required, without Customer’s prior authorization. If Circeus is required to respond to such a request, Circeus shall, where the Customer is identified or identifiable from the request, promptly notify Customer and provide Customer with a copy of the request unless Circeus is legally prohibited from doing so. 


8.2. To the extent required under applicable Data Protection Laws, Circeus shall (considering the nature of the processing and the information available) provide all reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. 


8.3. Circeus does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about Customer Data. If Circeus receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about Customer Data belonging to a Customer whose primary contact information indicates the Customer is located in Europe, Circeus shall: a) review the legality of the request; b) inform the government agency that Circeus is a processor of the data; c) attempt to redirect the agency to request the data directly from Customer; d) notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy; and e) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. 

8.4. CCPA/CPRA Standard of Care; No Sale of Personal Information. Processor acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Processor provides to Customers under the Agreement. Processor shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Customer's behalf, nor shall it combine the Personal Information Processed on Customer's behalf with any information it processes on behalf of any other parties, by way of logical separation, and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Agreement and this DPA. Processor certifies that it understands the rules, requirements and definitions of the CCPA/CPRA and agrees to refrain from selling and/or sharing (as such term is defined in the CCPA/CPRA) any Personal Information Processed hereunder without Customer's prior written consent or instruction, nor taking any action that would cause any transfer of Personal Information to or from Processor under the Agreement or this DPA to qualify as “selling” or “sharing” such Personal Information under the CCPA/CPRA.

  1. GENERAL


9.1  Any claims made against Circeus or its affiliates under or in connection with this Addendum shall be brought solely by the Customer entity that is a party to the Agreement.


9.2. This Addendum shall remain in effect for as long as Circeus carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement.


9.3. In the event of any conflict or inconsistency between this Addendum and the Agreement, the provisions of this Addendum will prevail.


ANNEX A


Categories of data subjects: The categories of data subjects whose personal data is processed include, but not limited to, Customer’s end users.


Categories of personal data: Customer may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data: name, address, phone number and e-mail.


Frequency of processing: Continuous and as determined by Customer.


Subject matter and nature of the processing: The subject matter of the data processing under this Addendum is the Customer Data. Customer Data will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:

  1. Storage and other processing necessary to provide, maintain and improve the service provided to Customer pursuant to the Agreement; and/or
  2. Disclosures in accordance with the Agreement and/or as compelled by applicable law.


Purpose of the processing: Circeus shall only process Customer Data for the permitted purposes, which shall include: a) processing as necessary to provide the service in accordance with the Agreement; b) processing initiated by Customer in its use of the Service; and c) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.


Duration of processing and period for which personal data will be retained: As described in Section 7.



Effective, July 2026