Data Processing Agreement

This Data Processing Agreement (the “DPA”) to the UNFI Media Network Terms, or such other agreement governing the direct relationship between the Parties hereto (collectively, the “Agreement”), and is entered into by and between Swiftly and Retailer (each individually a Party and collectively the “Parties”).    

1. Definitions

In addition to capitalized terms defined elsewhere in this DPA and the Agreement, the following terms shall have the meanings ascribed to them herein.

1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.

1.2. “Business” shall have the meanings ascribed to in Privacy Laws.

1.3. “Consumer” and “Data Subject” shall have the meanings ascribed to in Privacy Laws and shall be used interchangeably herein.

1.4. "Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing Personal Information and shall have the same meaning as “business” as defined in the CCPA.

1.5. “Covered Data” means the Personal Information provided by the Retailer to Swiftly as detailed in the Agreement and for the purposes described in the Agreement.

1.6. “Data Subject Request” means any right afforded to a Data Subject under Privacy Laws, including, but not limited to, the rights of access, correction, deletion, portability, and to opt-out of certain Processing activities such as cross-context behavioral or targeted advertising.

1.7. “Personal Information” shall have the meaning ascribed to “personal information” or “personal data” in Privacy Laws.

1.8. "Privacy Laws" means all applicable laws and regulations applicable, including, as applicable, laws and regulations of the United States, including without limitation, the Federal Trade Commission Act, the California Consumer Privacy Act of 2018 and its amendments including the California Privacy Rights Act (collectively, the “CCPA”), and Virginia’s Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and the Oregon Consumer Privacy Act (“OCPA”).

1.9. “Process” or “Processing” shall have the meanings ascribed to each in Privacy Laws.  

1.10. "Processor" shall have the meaning ascribed to it in Privacy Laws and has the same meaning as “service provider” or “contractor” as defined in the CCPA.  

1.11. “Services” shall have the meaning ascribed to “Service Offerings” in the Agreement.

‍

2. Designation

The Parties acknowledge and agree that with regards to the Covered Data, depending on the nature of the Processing activity, (i) the Parties may concurrently be Controllers at times, and (ii) at other times one Party may be a Controller while the other is a Processor. The categories of disparate Processing activities are identified in Attachment A.

‍

3. Common Obligations

When a Party is Processing Covered Data as either a Processor or as a Controller, the following terms shall apply:
‍
3.1. Compliance with Law. With respect to the Covered Data, the Parties shall comply with Privacy Laws.  

   3.1.1. The Parties shall only Process Covered Data for the limited and specified purposes described in Attachment A.  

     3.1.2. The Parties shall notify each other in the event that it determines it can no longer meet its obligations
              under Privacy Laws.

3.2. Data Subject Rights. Each Party shall promptly notify the other Parties when they receive requests from Data Subjects exercising a Data Subject Request. The Parties shall coordinate mechanisms to collaborate and respond to any such requests within any statutory period prescribed by law.  For avoidance of doubt, this Section 3.2 shall not create any obligation relating to fulfillment of Data Subject Requests for any third party that is not a Party to this DPA.

3.3. Security.

    3.3.1.  Each Party shall maintain appropriate technical and organizational measures for protection of the (i) security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, personal information), (ii) confidentiality of Covered Data and (iii) integrity of Covered Data; and as otherwise set forth in the Agreement or Attachment B (collectively, “Security Measures”).

          3.3.1.1. Where one Party is a Processor and the other Party is a Controller, these Security Measures shall be in accordance with in any written information security policies Controller may provide to Processor, as may be updated by Controller from time to time.

    3.3.2. The Parties shall take reasonable steps to ensure that access to the Covered Data is limited on a need to know/access basis and that all personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Covered Data.

3.4. Security Incident. A Party subject to a Security Incident shall notify the other Party without undue delay (and, in any event, within seventy two (72) hours upon Swiftly or any sub-processor of Swiftly becoming aware of a Security Incident).  “Security Incident” means any confirmed or reasonably suspected unauthorized, accidental or unlawful (a) use, destruction, loss, or unauthorized disclosure, of, or (b) alteration of or access to, Personal Information.  

     3.4.1. Such notification shall be provided as follows in writing (by email) and telephonically using the information below:

Retailer: To the most recent email address and phone number associated with Retailer
Swiftly: +1 (866) 201-2322, support@swiftly.com

    3.4.2. Immediately following the Party’s notification, each Party agrees to cooperate in good faith with the other Party in the investigation and remediation of any Security Incident.

‍

4. Data Processor Obligations

When a Party is Processing Covered Data exclusively as a Processor, the following terms shall apply:

4.1. Limitations on Processing. Processor shall at all times comply with written instructions from Controller pursuant to the Agreement, this DPA, and all applicable laws, rules and regulations, including but not limited to, Privacy Laws. Processor may engage in the following Processing purposes on its behalf:

   4.1.1.1.  Auditing consumer transactions, including, but not limited to, measuring advertising performance to unique visitors.

   4.1.1.2. Detecting and protecting against malicious, deceptive, fraudulent, or illegal advertising activity.

   4.1.1.3. Identifying and repairing errors that impair existing intended functionality.

   4.1.1.4. Short-term, transient use, provided that the Personal Information is not disclosed to another third party and is not used to build a profile about a Consumer.

   4.1.1.5. Providing analytic, advertising, or marketing-related services, except for cross-context behavioral advertising, to the Consumer provided that, for the purpose of advertising and marketing, a Processor shall not combine the Personal Information of opted-out Consumers that the Processor receives from, or on behalf of, the Controller with personal information that the Processor receives from, or on behalf of, another person or persons or collects from its own interaction with Consumers. For the avoidance of doubt, cross-contextual behavioral advertising will be provided by Swiftly in its role as a Controller.

    4.1.1.6. Undertaking internal research for technological development and demonstration.

4.2. Data Protection Risk/Impact Assessment. Processor shall provide reasonable assistance to Controller with any data protection risk and/or impact assessments, audits, certifications, or other product-centric privacy reviews with legal or regulatory authorities or other competent data protection authorities, which Retailer reasonably considers to be appropriate or required under any Privacy Laws, in relation to Processing of personal information by Controller.

4.3. Return or Deletion of Personal Information. Upon the expiration or termination of the Agreement, Processor shall, at Controller’s request either (i) securely return to Controller, or (ii) securely destroy, all personal information obtained by Swiftly in connection with the Agreement. Upon Controller’s written request, Swiftly will provide written confirmation to Controller of its compliance with this provision.

4.4. Audit. Upon the reasonable request of Controller, Processor shall make available to Controller all information in its possession necessary to demonstrate Processor's compliance with the obligations described in this DPA and shall allow for, and cooperate with, reasonable assessments by Controller or the Controller’s designated assessor. Controller shall not use such an audit report for any other purpose than to assess Processor’s compliance with this DPA. Controller shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate the Processor’s unauthorized use of personal information.

‍

5. Controller Obligations

When Processing Personal Information as a Controller, Controller agrees that it shall:

5.1. Privacy Choices. Disclose to consumers, via an appropriate privacy notice, that it engages in third party cross-contextual and/or targeted advertising using Personal Information. Such privacy notice shall offer to Data Subjects, as applicable, instructions and/or a mechanism to consent or opt-out regarding the collection and sharing of their Personal Information with third parties for cross-contextual and/or targeted advertising (including, under the CCPA, a "Do Not Sell or Share My Personal Information" or “Your Privacy Choices” option) in compliance with applicable Privacy Laws. Controller agrees that it shall assist the other Party with providing any such required notice within any website or application in which it is serving as a Controller under the Agreement.

5.2. Additional Partner or Provider Obligations. Enter into appropriate contractual arrangements with any additional third party partners or providers, requiring all parties to comply with Privacy Laws including honoring consent or opt-out choices and coordinating with the other Parties as necessary to facilitate such requests within the statutory periods defined by applicable Privacy Laws.

‍

6. General Terms

6.1. Termination and Survival. This DPA and all provisions herein shall so long as the Agreement is in effect.

6.2. Counterparts. This DPA may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this DPA by executing a counterpart.

6.3. Non-compliance. Each Party shall promptly inform the other if it is unable to comply with this DPA. If the non-complying Part cannot comply within a reasonable period of time, or is in substantial or persistent breach of this DPA, the complying Party shall be entitled to remediate the non-compliant action and/or terminate the DPA and the Agreement insofar as it concerns processing of Covered Data.

6.4. Ineffective clause. If individual provisions of this DPA are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.

6.5. Conflicts. In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

6.6. Applicable law and jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this DPA.

‍

‍