Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into, and forms part of, the BigCommerce Terms of Service (the “Terms”) and applies where BigCommerce acts as a Processor on behalf of Customer for the provision of ecommerce Services. Capitalized terms that are not defined in this DPA have the meanings ascribed to them in Data Protection Laws, the Terms, or any other underlying agreement for the provision of ecommerce Services between Customer and BigCommerce, if any (an “Underlying Agreement”). In the event of any conflict between the Terms or an Underlying Agreement and this DPA, the provisions of this DPA will prevail; provided, however, that where a separate data protection agreement forms part of an Underlying Agreement, the most stringent applicable data protection term shall apply.

1. Definitions.
   1. “Data Protection Laws” means any data protection legislation or regulation applicable to the Processing of Personal Data by BigCommerce under the Terms, including, as applicable: (i) the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); (ii) the General Data Protection Regulation as it forms part of UK domestic law by virtue of the UK Data Protection Act 2018 and Section 3 of the European Union (Withdrawal) Act 2018 and subsequent amendments (“UK GDPR”); and (iii) the California Consumer Privacy Act of 2018, as amended or modified, including as amended by the California Privacy Rights Act of 2020 (“CCPA”). Unless otherwise stated, “GDPR” means both the EU GDPR and UK GDPR. Notwithstanding the foregoing, “Data Protection Laws” shall not include any laws or regulations that require the localisation of Personal Data.
   2. “Personal Data” means any information relating to an identifiable or identified Data Subject or Shopper who visits or engages in transactions through Customer’s store that (i) BigCommerce processes as a Processor while providing Customer with the Services under the Terms, and (ii) would be considered personal information or personal data as such terms/concepts are defined by applicable Data Protection Laws; provided, however, that Personal Data excludes any such information that has been aggregated or anonymized in a manner that is not (1) identifiable as having originated from the Data Subject, or (2) capable of allowing a recipient to infer the Data Subject’s information.
   3. “Controller”, “Data Subject”, “Processor” and “Processing” have the meanings ascribed to them in the GDPR and their cognate terms will be construed accordingly.
   4. “Subprocessor” means an entity appointed by BigCommerce to Process Personal Data on behalf of Customer in connection with the Terms and excludes the following: (i) third-party apps in BigCommerce’s app marketplace; and (ii) third party contributions, features, functionality, consulting or other third-party services elected by Customer.
2. Roles and Processing.  BigCommerce shall act as Processor and Process the Personal Data only to provide the Services, on Customer’s documented instructions, or as consistent with the Terms or any Underlying Agreement. Customer shall act as Controller and shall comply with all applicable laws, including Data Protection Laws, in providing Personal Data to BigCommerce and further represents and warrants that all Personal Data will be collected and used by or on behalf of Customer in compliance with such laws, including with respect to any applicable obligations to provide notice to and/or obtain consent from individuals.
3. Subprocessing.  BigCommerce may use Subprocessors to process the Personal Data in compliance with Data Protection Laws. BigCommerce’s current Subprocessors are set forth at https://www.bigcommerce.com/pr..., or its successor page.
   1. Additions; Replacement. This DPA is Customer’s general written authorization for BigCommerce to engage Subprocessors; provided, however, that BigCommerce will inform Customer through Customer’s primary contact or by posting on Customer’s control panel any intended changes concerning the addition or replacement of Subprocessors. If, within 14 days of receiving such notice, Customer does not provide written notice to BigCommerce of any reasonable objections that detail why the proposed Subprocessor would not adequately support Customer’s obligations under the Data Protection Laws, Customer will be deemed to have consented to the proposed engagement. If the parties are not able to resolve a reasonable objection and BigCommerce continues to appoint such Subprocessor, then Customer will be entitled to terminate any agreements with respect to the processing of Personal Data under the Data Protection Laws by the new Subprocessor without any liability as a result of such termination (such termination, a “Subprocessor Objection Termination”). For the avoidance of doubt, BigCommerce shall have no liability for a Subprocessor Objection Termination and such Subprocessor Objection Termination shall not constitute a termination for breach.
   2. Liability. BigCommerce shall conduct security, privacy, and transfer assessments of all Subprocessors prior to onboarding and will enter into written agreements with any Subprocessor requiring the Subprocessor to provide a substantially similar level of data protection and information security as provided by this DPA and required by Data Protection Laws. BigCommerce will remain liable for any Subprocessor’s compliance with its obligations and for any acts or omissions of a Subprocessor that cause a Subprocessor to fail to fulfill such obligations or that cause BigCommerce to breach any of its material obligations under this DPA.
4. Confidentiality.  BigCommerce will treat all Personal Data that it Processes as confidential and will inform its employees, agents and/or approved Subprocessors engaged in Processing Customer Personal Data of the confidential nature of the Personal Data. BigCommerce will make commercially reasonable efforts to ensure that these persons or entities have signed an appropriate confidentiality or data protection agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
5. Security.  BigCommerce will implement the measures set forth in Exhibit A and not less than appropriate technical and organizational measures to protect the security of the Processing of Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6. Assistance/Inspections. BigCommerce will make relevant information necessary to demonstrate compliance with Article 28 of the GDPR reasonably available. At Customer’s written request, BigCommerce will, taking into account the nature of processing and the information available to the processor, reasonably assist the Customer in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR.
   1. For the avoidance of doubt, Customer agrees and understands that the resources available via the BigCommerce Platform Trust Center (currently available at: security.bigcommerce.com) or its successor page, including but not limited to BigCommerce’s most recent third-party audit attestations, certifications, and reports, will suffice for purposes of any required documentation under this provision.
   2. To the extent the documentation identified in Section 6.1 does not provide sufficient information under Data Protection Laws, then BigCommerce will, at Customer’s expense and subject to reasonable notice, scope, frequency, relevancy, and confidentiality requirements, allow for and contribute to audits, including inspections, conducted by Customer or an appropriately-qualified auditor, provided that the information sought is not reasonably available through less intrusive means. Customer will reimburse BigCommerce for any time expended on such audits or inspections.
7. Data Subject Requests. To the extent possible and taking into account the nature of the processing, BigCommerce will make commercially reasonable efforts to assist Customer by providing functionality or taking appropriate measures to help fulfill Customer’s obligation to respond to Data Subject requests under applicable Data Protection Laws.
8. Notifications. If BigCommerce is otherwise required to comply with a legal obligation, BigCommerce will make commercially reasonable efforts to inform Customer of that legal obligation, unless BigCommerce is prohibited from doing so. BigCommerce will inform Customer if, to its knowledge, an instruction from Customer would infringe Data Protection Laws.
9. Incident Management. If BigCommerce becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by BigCommerce under this DPA while providing the ecommerce Services (a “Security Incident”), it will, without undue delay, notify Customer and provide Customer a description of the Security Incident as well as periodic updates to information about the Security Incident. In accordance with Exhibit A, BigCommerce will investigate the Security Incident and take reasonable steps to prevent or mitigate the effects of a Security Incident caused by a material breach of BigCommerce’s obligations under this DPA.
10. Sensitive Data. Except as specifically provided otherwise, the Services are not intended to store any type of Sensitive Personal Data, including any data that may be considered “special categories of personal data” under Data Protection Laws, or that otherwise would reasonably be considered sensitive in nature (collectively, “Sensitive Data”). For example, the Services are not intended to store or use sensitive health data, including but not limited to protected health information (“PHI”), as defined by the Health Insurance Portability and Accountability Act of 1996 and its enabling regulations and related laws ("HIPAA"). Customer will not provide BigCommerce with any Sensitive Data through use of the Services.
11. Data Transfer. BigCommerce may transfer, process and store Personal Data in regions in which BigCommerce or its Subprocessors operate, subject to compliance with Data Protection Laws.
    1. BigCommerce is a participant in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. To the extent such frameworks, or any successor frameworks, are deemed adequate as valid transatlantic data transfer mechanisms, BigCommerce may utilize such frameworks to transfer Personal Data. BigCommerce will notify Customer if it can no longer meet its obligation to provide the level of protection required by the Privacy Shield principles.
    2. If and to the extent that any processing of Personal Data subject to the EU GDPR by BigCommerce takes place in any country outside the EEA whose laws do not provide an adequate level of data protection and an independently valid data transfer mechanism does not exist, or either party relies on a transfer mechanism that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then:

       a) the parties will, to the extent necessary, cooperate in good faith to terminate the transfer or pursue a suitable alternate mechanism that can lawfully support the transfer; and

       b) the Standard Contractual Clauses approved by the European Commission on 4 June 2021 under Commission Implementing Decision (EU) 2021/914, Controller-to-Processor Clauses (Module Two) (“EU SCCs”) will apply:

       i. for the purposes of Annex I to the EU SCCs, BigCommerce will comply with the obligations of “data importer” and the Customer will comply with the obligations of “data exporter;”

       ii. the activities of Customer as data exporter, of BigCommerce as data importer, and the details of the data subjects, types of data, special categories of data (if appropriate) and processing operations are as set out throughout this DPA and in the table on page 1 of this DPA;

       iii. Clause 3 of this DPA (Subprocessing) shall apply for purposes of Annex III to the EU SCCs and for general written authorization of sub-processors under Clause 9(a) of the EU SCCs (Use of sub-processors);

       iv. the laws of the Republic of Ireland will govern the EU SCCs (Clause 17) and that the choice of forum and jurisdiction shall be the courts of the Republic of Ireland (Clause 18(b));

       v. for the purposes of Annex I.C. (Competent Supervisory Authority), the competent supervisory authority is Data Protection Commission, Ireland; and;

       vi. Exhibit A of this DPA shall apply for the purposes of Annex II to the EU SCCs (Technical and Organisational Measures).

    3. If and to the extent that any processing of Personal Data subject to the UK GDPR by BigCommerce takes place in any country outside the UK whose laws do not provide an adequate level of data protection and an independently valid data transfer mechanism does not exist, or either party relies on a statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then:

       a) the parties will, to the extent necessary, cooperate in good faith to terminate the transfer or pursue a suitable alternate mechanism that can lawfully support the transfer; and

       b) the terms of the International Data Transfer Addendum to the EU SCCs in force 21 March 2022 issued by the UK Information Commissioner’s Office pursuant to S119A(1) of the UK Data Protection Act 2018 (“UK IDTA”) will apply:

       i. for purposes of Part I of the UK IDTA, the terms of this DPA, including the relevant roles of the parties as set forth in Section 11.2(b) and the technical and organizational measures set out in Exhibit A, shall apply;

       ii. both Customer and BigCommerce shall be allowed to end subscription to the UK IDTA as set out in Section 19 of the UK IDTA; and

       iii. for purposes of Part 2 of the UK IDTA, the EU SCCs shall apply.

    4. If and to the extent that any processing of Personal Data subject to the jurisdiction of the Swiss Federal Data Protection and Information Commission (“FDPIC”) takes place in any country outside Switzerland whose laws do not provide an adequate level of data protection and an independently valid data transfer mechanism not exist, or either party relies on a statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then

       a) the parties will, to the extent necessary, cooperate in good faith to terminate the transfer or pursue a suitable alternate mechanism that can lawfully support the transfer; and

       b) the EU SCCs and cognate roles, activities, and authorizations set forth in Section 11.2(b) will apply, except that:

       i. all references to the GDPR shall be read to include reference to the Swiss Data Protection Act; and

       ii. the competent supervisory authority shall be the FDPIC.

    5. BigCommerce will notify Customer if it can no longer meet its obligation to provide the level of protection required by Data Protection Laws.
    
    
12. CCPA Compliance. If BigCommerce Processes Personal Data of California residents, BigCommerce shall comply with the CCPA. Specifically, BigCommerce agrees that:
    1. BigCommerce acts solely as a Service Provider in relation to Personal Data (“Service Provider” shall have the meaning ascribed to in the CCPA) and, in accordance with the provisions of this DPA, Customer alone determines the purposes and means of the Processing of Personal Data.
    2. BigCommerce will not sell Personal Data of California residents, and the parties acknowledge and agree that Customer does not sell Personal Data to BigCommerce in connection with the Services. Further, as set forth elsewhere in this DPA, BigCommerce will not retain, use, share, or disclose Customer Personal Data (1) for any purpose other than performing or supporting the Services, or (2) outside of the direct business relationship between the parties except as authorized through the Terms or an Underlying Agreement. When utilizing Subprocessors to perform or support the Services, BigCommerce will comply with the provisions of Section 3 of this DPA.
    3. For the purposes of data security under the CCPA, BigCommerce shall comply with the applicable requirements and restrictions set forth in the Terms and this DPA, including Exhibit A.
13. Termination. Upon termination of the Services or expiration of the Term, subject to Data Protection Laws, BigCommerce will promptly delete or anonymize Personal Data. If Customer requests a copy of such Personal Data prior to deletion, BigCommerce will make a copy of such Personal Data reasonably available to Customer.
    

14. Updates. Subject to compliance with Data Protection Laws, BigCommerce may update this DPA periodically, including as necessary to account for changes in circumstances, Data Protection Laws, international data transfer mechanisms, and BigCommerce products, features, or functionality. BigCommerce will not materially decrease the overall level of data protection provided by this DPA without advance notice.

    
    

Exhibit A

Security Procedures

1. Security Controls. BigCommerce will maintain security measures appropriate to the nature of the Personal Data including the following. Additional information about BigCommerce’s current data security, protection, and transfer practices may be made available via the BigCommerce Platform Trust Center.
   1. Generally. BigCommerce will maintain an information security management system (“ISMS”), maintain automated tools to identify attempts to exfiltrate data, use certificate-based security, and develop and maintain secure key management policies and procedures. BigCommerce will monitor, log, audit, and escalate threats after applicable risk assessments have been performed. BigCommerce will manage the secure lifecycle of systems and software.
   2. Boundary Defense and Security Segmentation.  BigCommerce will monitor, detect, and restrict the flow of information on a multilayered basis. BigCommerce will design and implement multilayered and secure network and system segmentation.
   3. Physical Security.  BigCommerce will maintain an access control system that enables BigCommerce to monitor and control physical access to BigCommerce facilities.
   4. ISMS. BigCommerce operates a comprehensive ISMS. BigCommerce’s ISMS is audited and certified annually by an independent third-party to meet or exceed ISO/IEC 27001 technical standards. BigCommerce will use commercially reasonable efforts to maintain such certification during the Term, as well as controls consistent with or substantially similar to the following technical and organizational measures:

   a) Encryption. Where applicable, BigCommerce encrypts Personal Data by default in-transit and at-rest.

   b) Minimization. BigCommerce minimizes personal data on its platform by design, including through anonymization, pseudonymization, and deidentification where practicable.

   c) Cybersecurity. Where applicable, BigCommerce infrastructure includes perimeter and host-based firewalls, file integrity monitoring, access control monitoring, intrusion detection, and application firewalls.

   d) Integrity and Stability. BigCommerce infrastructure is logically segmented and replicated throughout multiple availability zones. Each store on the platform is protected by multiple layers of security and access control, including cloud security posture management and global cloud network protection.

   e) Testing. BigCommerce conducts frequent vulnerability scans and engages third-party providers to conduct substantive vulnerability assessments.

   f) Governance. As matter of policy and practice, BigCommerce takes organizational measures to promote:

   i. commercially reasonable internal IT and IT security governance, management, and training;

   ii. commercially reasonable business continuity planning and management;

   iii. commercially reasonable ability to restore availability and access in the event of an incident;

   iv. regular testing, assessment and evaluation of the effectiveness of BigCommerce’s organizational measures;

   v. commercially reasonable user identification, authorization, and access control;

   vi. commercially reasonable secure system configuration;

   vii. assessment of Subprocessors in accordance with BigCommerce’s ISMS and obligations as a Processor, including with regard to security, privacy, and transfer impact;

   viii. data deletion, where applicable, in accordance with BigCommerce’s contractual obligations, internal policies, obligations as a Processor, and Data Protection Laws; and

   ix. re-evaluation of technical and organizational measures in light of relevant changes.

2. Personnel.  Where applicable to the Processing, BigCommerce will (a) subject to applicable law, perform or require background screening, (b) provide or require security training, and (c) require appropriate confidentiality and security obligations.
   

3. Verification of Security Controls.
   1. Security Audits. On an annual basis, BigCommerce will, at its sole cost and expense, retain an independent, appropriately-qualified auditor to undertake an assessment of and prepare a report of BigCommerce’s ISMS and information security controls. BigCommerce will conduct periodic penetration tests from the perspective of an external attacker and a credentialed user. On an annual basis, BigCommerce will conduct a PCI-DSS audit and make the summary Attestation of Compliance available.
   2. Deficiencies. BigCommerce will at its own expense promptly cure deficiencies identified in any audit or vulnerability scan with a CVSS score of 4.0 or greater or that materially and adversely affects Customer Personal Data.
      

4. Security Incidents.
   1. Notification. Upon BigCommerce’s discovery of a Security Incident and unless prohibited by applicable law, BigCommerce will notify Customer no later than 72 hours following its confirmation of a Security Incident, and provide the following information:

      a) a summary of the Security Incident,

      b) an expected resolution time (if known), except that if the resolution path is unknown at the time of notification, BigCommerce will advise Customer that the path is unknown, and

      c) a means to obtain continued incident updates, if applicable.

   2. Security Incident Procedures. In the event of a Security Incident caused by a material breach of BigCommerce’s obligations under this DPA, BigCommerce will, subject to the liability limits of the Terms or any Underlying Agreement, (a) reasonably cooperate with any investigation concerning the Security Incident by Customer, regulators, or law enforcement, and (b) reasonably cooperate with Customer to comply with applicable law concerning such Security Incident, including any notification to affected data subjects. For the avoidance of doubt, BigCommerce shall not be liable for any Security Incident caused by Customer or by any third-party integrations or services elected by Customer.
   3. Customer Reporting. Customer may report Security Incidents to affected persons and/or any governmental authority or agency having supervisory or oversight authority over Customer or Security Incidents.
   4. Corrective Measures. BigCommerce will undertake a procedural review and audit to determine measures to avoid occurrence of a similar situation, notify Customer of the corrective measures undertaken, and take additional measures reasonably deemed appropriate by BigCommerce.