Data Processing Addendum
This DPA is supplemental to the Terms and sets out the roles and obligations that apply when Cavius processes Personal Data falling within the scope of the GDPR on behalf of Customer in the course of providing the Services.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Terms.
1.1 For the purposes of this DPA:
(a) “EEA" means the European Economic Area.
(b) "GDPR” means Regulation 2016/679 of the European Parliament and of the Council on
the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
(d) The terms "Controller", "Processor", "Personal Data", "processing", "special categories of data" and "Data Subject" have the meanings given to them in the GDPR.
2. Applicability of DPA
2.1 Applicability. This DPA will apply onwards to the extent that Cavius processes Personal Data falling within the scope of the GDPR on behalf of Customer in the course of providing the Services.
3. Roles and Responsibilities
3.1 Roles of the Parties. As between Cavius and Customer, Customer is the Data Controller of the Personal Data described in Annex A and Cavius shall process the Personal Data as a Data Processor acting on behalf of Customer.
3.2 Customer Processing of Personal Data. Customer shall be responsible for:
(a) Complying with all applicable laws relating to privacy and data protection in respect of its use of the Services, its processing of the Personal Data, and any processing instructions it issues to Cavius;
(b) Ensuring it has the right to transfer, or provide access to, the Personal Data to Cavius for processing pursuant to the Terms and this DPA; and
3.3 Cavius Processing of Personal Data. Cavius shall process the Personal Data for the purposes of providing set out in Annex A and in accordance with the lawful, documented instructions of Customer (including the instructions of any users accessing the Loyverse Services on Customer's behalf) as set out in the Terms, this DPA or otherwise in writing.
4.1 Security. Cavius shall implement appropriate technical and organisational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (a "Security Incident").
4.2 Confidentiality obligations. Cavius shall ensure that any personnel that it authorizes to process the Personal Data shall be subject to a duty of confidentiality.
4.3 Security Incidents. Upon becoming aware of a Security Incident affecting Personal Data processed by Cavius, Cavius shall notify Customer without undue delay. Cavius shall make reasonable efforts to identify the cause of the Security Incident and to take such steps as Cavius deems necessary and reasonable to mitigate the effects of such Security Incident, to the extent such efforts are within Cavius reasonable control. Cavius shall make reasonable efforts to provide such information as Customer may reasonably require to enable Customer to fulfil any data breach reporting obligations under the GDPR.
5.1 Sub-processors. Customer agrees that Cavius may engage Cavius affiliates and third party sub-processors (collectively, "Sub-processors") to process Personal Data on Cavius behalf provided that:
(a) Cavius shall maintain an up to date list of Sub-processors at https://loyverse.com/terms-use which it shall update with details of any change in Sub-processors at least ten 10 days prior to any such change;
(b) Cavius imposes on such Sub-processors data protection terms that require it to protect the Personal Data to the standard required by applicable data protection laws; and
(c) Cavius remains liable for any breach of the DPA caused by a Sub-processor.
5.2 Objection to Sub-processors. Customer may object to Cavius appointment or replacement of a Sub-processor prior to its appointment or replacement provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then Cavius, at its discretion, will either not appoint or replace the Sub-processor or, will permit Customer to suspend or terminate the affected Service (without prejudice to any fees incurred by Customer prior to suspension or termination).
6. International Transfers
6.1 International transfers. To the extent that Cavius transfers any Personal Data originating from the EEA to a country that has not been designated by the European Commission as providing an adequate level of data protection, it shall put in place such measures as are necessary to ensure such transfer is in compliance with the GDPR. Customer authorizes transfers of Personal Data to such destinations outside of the EEA subject to such appropriate safeguards having been put in place.
7.1 Data subject rights. Cavius shall, taking into account the nature of the processing, provide reasonable assistance to Customer insofar as this is possible, to enable Customer to respond to requests from data subjects seeking to exercise their rights under the GDPR. In the event such request is made directly to Cavius, Cavius shall promptly inform Customer of the same.
7.2 Data protection impact assessments. Cavius shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance needed to fulfil Customer's obligation to carry out data protection impact assessments and prior consultations with supervisory authorities, to the extent required under the GDPR and to the extent Customer does not otherwise have access to the relevant information.
7.3 Provision of information and reports. Cavius shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this DPA by request to [email protected].
7.4. Audit. Whilst it is the parties' intention ordinarily to rely on the provision of the documentation to verify Cavius compliance with this DPA, Cavius shall permit the Customer (or its appointed third party auditors) to carry out an audit of Cavius processing of Personal Data under the Terms following a Security Incident suffered by Cavius, or upon the instruction of a data protection authority. Customer must give Cavius reasonable prior notice of such intention to audit, conduct its audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Cavius operations. Any such audit shall be subject to Cavius security and confidentiality terms and guidelines. If Cavius declines to follow any instruction requested by Customer regarding audits, Customer is entitled to terminate this DPA and the Terms.
8. Return/Deletion of Data
8.1 Return or deletion of Personal Data. Upon termination or expiry of the Terms, Cavius shall delete or return to Customer the Personal Data (including copies) in Cavius possession in accordance with the procedures and timeframes specified in the Terms. This requirement shall not apply to the extent that Cavius is required by applicable law to retain some or all of the Personal Data. For Personal Data archived on backup systems, Cavius shall delete this data generally within 6 months of termination or expiry of the Terms (where reasonably possible).
9.1 Except as amended by this DPA, the Terms will remain in full force and effect.
9.2 Any claims brought under this DPA shall be subject to the Terms, including but not limited to the exclusions and limitations of liability set forth in the Terms.
9.3 If there is a conflict between this DPA and the Terms, the DPA will control.
Data Processing Description
This Annex A forms part of the Agreement and describes the processing that the processor will perform on behalf of the controller.
The controller is:
The entity entering into an agreement with Cavius for the provision of Loyverse point of sale and retail management services, referred to as "Customer" in the DPA.
The processor is :
Cavius International Limited, a company incorporated under the laws of the Republic of Cyprus, which provides point of sale and inventory management software and related services ("Services") to the Customer.
The personal data to be processed concern the following categories of data subjects:
- Consumers and employees of the Customer: past, present and potential consumers and employees of the Customer located in the EEA whose Personal Data is submitted to the Services.
Other EEA individuals whose Personal Data is submitted to or processed through the Services on behalf of the Customer.
Categories of data
The personal data to be processed concern the following categories of data:
- Contact information: such as names, email addresses,, phone numbers, contact details
- Sales information: such as details of the transactions undertaken through the Services, products/services purchased, date/time, payment amount/method, returns, communications with controller etc.
- Any other information that consumers/employees have provided to the Customer which are processed through the Services, the extent of which is determined and controlled by the Customer or consumer/employee in their sole discretion
Special categories of data (if appropriate)
The personal data to be processed concern the following special categories of data (please specify):
Cavius does not intentionally collect or process any special categories of data in the provision of its Services. Under the Terms, the Customer agrees not to provide (or permit any user to provide) any special categories of data to Cavius for processing.
The personal data will be subject to the following basic processing activities:
- The provision, operation and delivery of the Services
- Any other purposes pursuant to Customer's Terms with Cavius