DATA PROCESSING ADDENDUM

 

This Data Processing Addendum (“DPA”) is an addendum to and forms part of the Agreement between Bloomreach ("Bloomreach" and "data importer") and party identified as the Customer in the Agreement ("Customer" or "data exporter"). This DPA sets out the terms that apply to the parties when Processing Personal Data in connection with the provision of the Services.  

For the avoidance of doubt, the Bloomreach Entity that is the party to the Agreement, shall be the same party entering into this DPA. 

 

DEFINITIONS

For the purposes of this DPA, capitalized terms not otherwise defined shall have the meaning given to them in the Agreement. 

Agreement” means either (i) the Master Subscription Agreement, together with applicable Appendices and Sales Orders; or (ii) any other written or electronic agreement incorporating this DPA, governing the Customer's access and use of the Services. 

"Bloomreach" means the Bloomreach Entity that is a party to the Agreement.

"Bloomreach Entity" means Bloomreach, Inc., Bloomreach B.V. or any other Affiliate of Bloomreach Inc.  

Affiliate(s)” means any entity controlling, controlled by, or under common control of a Party.

CCPA” means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this DPA. 

Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Bloomreach under this DPA.      

Data Protection Legislation” means, as applicable to a party and its Processing of Personal Data: (i) the CCPA and any national data protection laws made under the CCPA, and (ii) EU/ UK Data Protection Law. 

"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data  (the "GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection 1992 ("Swiss DPA"); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) (iii) or (iv); in each case as may be amended or superseded from time to time.

Personal Data” means any information that  (i) is protected as "personal data", "personal information" or "personally identifiable information" under Data Protection Legislation; and (ii) is Processed by Bloomreach on behalf of Customer in the course of providing the Services,  as more particularly described in Annex 1 (A) of this DPA. 

"Restricted Transfer" means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable).

“Sub-processor” means any third party engaged by Bloomreach to assist in fulfilling its obligations with respect to providing the Services and that Processes Personal Data as Processor. 

“Services” means the services provided by Bloomreach to the Customer pursuant to and as more particularly described in the Agreement.

"Standard Contractual Clauses" means: (i) the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (the "EU SCCs") ; and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs"), as applicable in accordance with Section 6 (Data Transfers).

The terms "Controller", "Processor", "Process", "Processing" and "Data Subject" shall have the same meanings given to them under the GDPR, and the terms "business", "service provider" and "sale" have the same meaning given to it under the CCPA.

 
1. BLOOMREACH OBLIGATIONS

1.1 Roles. For the purposes of EU/UK Data Protection Law, Customer is the Controller or Processor of Personal Data and Bloomreach shall Process Personal Data as a Processor; and for the purposes of the CCPA (where applicable), Customer is the "business" and Bloomreach is the "service provider".

1.2 Permitted Purposes. Bloomreach shall Process Personal Data only for the purposes described in Annex 1. or otherwise agreed between the Parties and in accordance with the Customer's documented lawful instructions ("Permitted Purposes"), except where otherwise required by law(s) that are not incompatible with applicable Data Protection Legislation. In no event will Bloomreach Process Personal Data for its own purposes or those of a third party. In particular and to the extent the CCPA is applicable, Customer's transfer of Personal Data to Bloomreach is not a sale, and Bloomreach provides no monetary or other valuable consideration to Customer in exchange for Personal Data. To the extent required by Data Protection Legislation, this Section 1.2 constitutes the certification from Bloomreach to the Processing instructions herein. Bloomreach acts on behalf of and on the instructions of the Customer in carrying out the Permitted Purposes.

1.3 Processing Instructions. The Agreement, including this DPA, along with the Customer's configuration of any settings or options in the Services, constitute Customer's complete and final instructions to Bloomreach regarding the Processing of Personal Data, including for the purposes of the Standard Contractual Clauses. Any additional or alternate instructions must be consistent with the terms of the Agreement. Bloomreach: (i) shall immediately inform the Customer if it becomes aware that Customer's Processing instructions infringe Data Protection Legislation (but without obligation to actively monitor Customer's or, where applicable its Controller's, compliance with Data Protection Legislation); and (ii) in such circumstances, Bloomreach may, without liability, temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend access to the Customer’s account. If parties do not agree on a resolution to the issue in question and the costs thereof, Customer may as its sole and exclusive remedy, terminate the Agreement (including this DPA) with respect to the affected Processing. Customer will have no further claims against Bloomreach (including, without limitation, requesting refunds for the Services) pursuant to the termination of the Agreement as described in this Section.

1.4 Security Measures. Bloomreach shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect Personal Data from Data Breaches and to preserve security and confidentiality of Personal Data, in accordance with the measures identified in Annex 3 of this DPA ("Security Measures"). The Customer acknowledges that the Security Measures are subject to technical progress and development and accordingly, Bloomreach may update or modify the Security Measures from time to time provided that such updates and modifications do not degrade or diminish the overall security of the Services.

1.5 Access and Confidentiality. Bloomreach shall ensure that any personnel tasked with the Processing the Personal Data shall be subject to appropriate obligations of confidentiality (whether a contractual or statutory duty), have received appropriate training, and that they Process Personal Data only for the Permitted Purposes.

1.6 Data Returns and Deletion. Upon termination or expiration of the Agreement, Bloomreach shall (at Customer's election) delete or return to Customer all Personal Data (including copies) in its possession or control in accordance with the Agreement. The parties agree that this requirement shall not apply to the extent Bloomreach is required by applicable law to retain some or all of the Personal Data, or to Personal Data archived on back-up systems, which Personal Data Bloomreach shall securely isolate and protect from any further Processing. Bloomreach shall delete such retained data without undue delay when technically feasible and/or allowed by the applicable law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16.(d) of EU SCCs shall be provided by Bloomreach to Customer only upon Customer's written request.


2. Audit Rights

2.1 Audit Reports. Upon request, Bloomreach shall supply (on a confidential basis) copies of any certifications, audit report summaries and/or other relevant documentation it holds and which Bloomreach generally makes available to its customers. In addition, Bloomreach shall respond to all reasonable requests for information made by Customer that are necessary to confirm Bloomreach's compliance with this DPA, including responses to information security, due diligence and audit questionnaires, by making additional information available regarding its security program upon Customer's written request, provided that Customer shall not exercise this right more than once per year.

2.2 Audit. Whilst it is the parties intention to ordinarily rely on the audit measures described in Section 2.1 (above) to verify Bloomreach's compliance with this DPA (including the Standard Contractual Clauses), following a confirmed Data Breach or where a data protection authority requires it, Bloomreach shall allow the Customer (or subject to complying with Section 2.3, a third party licensed auditor) to carry out the on-site or remote audit of Bloomreach's electronic data files, systems and documentation relating to the Processing of Personal Data, provided that: (i) Data Protection Legislation obliges Bloomreach to allow for such audit (ii) Bloomreach is notified of the audit via a written notice at least 30 (thirty) days in advance; (iii) the audit shall be conducted at Customer's expense; (iv) the parties shall mutually agree upon the scope, timing and duration of the audit; and (v) the audit shall not take place more than once a calendar year and shall not unreasonably impact Bloomreach's regular operations.

2.3 Audit by a third party. Customer may exercise its audit rights under Section 2.2 through the engagement of a third independent party that is an external licensed auditor, provided that Customer provides Bloomreach with reasonable prior written notice and the opportunity to object in accordance with this Section 2.3. Bloomreach may object to such an auditor conducting the audit if the auditor is, in Bloomreach’s reasonable opinion, not suitably qualified or independent, a competitor of Bloomreach, or otherwise manifestly unsuitable. Any such objection will require the Customer to appoint another auditor.


3. CUSTOMER’S OBLIGATIONS

3.1 Customer’s Processing of Personal Data. Customer shall, in its use of the Services and provision of its Processing instructions, Process Personal Data in accordance with Data Protection Legislation (including where the Customer is a Processor, by ensuring the ultimate Controller does so). Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Where Customer acts as a Processor on behalf of a third party Controller (or other intermediary to the ultimate Controller), Customer warrants that its Processing instructions, including its authorizations to Bloomreach for the appointment of Sub-processor in accordance with this DPA, have been authorized by the relevant Controller. The Customer shall be solely responsible for forwarding any notifications received by Bloomreach to the relevant Controller where appropriate.

3.2 Customer’s Compliance. Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Legislation in respect of its Processing of Personal Data and any Processing instructions it issues to Bloomreach; (ii) it has provided notice and obtained (or shall obtain) all consents or any other necessary authorizations (as applicable) under Data Protection Legislation for Bloomreach to Process Personal Data for the Permitted Purposes, (iii) it has fulfilled (or shall fulfill) all registration or notification obligations to which Customer is subject to under the Data Protection Legislation and (iv) it is responsible for its own Processing of Personal Data including integrity, security, maintenance and appropriate protection of Personal Data that are under Customer’s control.

3.3 Technical and organizational measures. Without prejudice to Bloomreach's obligations under Section1.4 (Security Measures), Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Services and taking any appropriate technical, organizational and security measures to securely encrypt or backup any Personal Data uploaded to the Services. Customer is also responsible for the use of the Services by any of its employees, any person Customer authorizes to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if such use was not authorized by Customer. Customer agrees to immediately notify Bloomreach of any unauthorized use of Services or Customer’s Account or of any other breach of security involving the Services upon becoming aware.

3.4 Use of Cookies. Where the Services employ the use of cookies and/or similar tracking technologies ("Cookies"), Customer shall maintain appropriate notice and consent mechanisms as required by Data Protection Legislation and industry best practice (or as otherwise reasonably requested by Bloomreach) to enable Bloomreach to lawfully deploy Cookies on, and lawfully collect data from, the devices of Data Subjects for the purposes of providing the Services. Bloomreach upon request shall provide Customer with all information reasonably required by the Customer (including details about the Cookies) to enable Customer to provide such notice. The Customer shall promptly notify Bloomreach if it is unable to comply with its obligations under this Section 3.4.


4. COOPERATION

4.1 Data Subject Rights. To the extent that Customer is unable to independently access the relevant Personal Data within the Services, Bloomreach shall (at Customer's expense), taking into account the nature of the Processing, provide reasonable assistance (including by appropriate technical and organizational measures, in so far as this is possible), to enable Customer to: (i) respond to any requests from a data subject seeking to exercise any of its rights under Data Protection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data (collectively "Correspondence"). In the event that any Correspondence from a Data Subject is made directly to Bloomreach, it shall where the Customer is identified or identifiable from the Correspondence, promptly notify Customer (who, where Customer is a Processor, shall in turn be responsible for informing the ultimate Controller) and shall not, unless legally compelled to do so, respond directly, except that Customer authorizes Bloomreach to redirect the Data Subject as necessary to allow Customer to respond as appropriate. Any assistance provided under this Section 4.1 shall be relevant to Services that support the Processing of Personal Data, commercially reasonable and proportionate to the objective of the exercise with which Bloomreach is requested to assist.

4.2 Data Protection Impact Assessment. To the extent required by Data Protection Legislation, Bloomreach shall (taking into account the nature of the Processing and the information available to Bloomreach) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation. Bloomreach shall comply with the foregoing by: (i) complying with Section 2 (Audit Rights); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer's expense.

4.3 Data Breaches

4.3.1 Data Breach Notification. Upon becoming aware of a Data Breach, Bloomreach shall notify the Customer (who, where Customer is a Processor, shall in turn be responsible for informing the ultimate Controller(s)) without undue delay and shall provide such timely information and cooperation as Customer may reasonably require in order for Customer (or where Customer is a Processor, its Controller) to fulfil its data breach reporting obligations under Data Protection Legislation. Where, and in so far as, it is not possible to provide all the details at the same time, the information may be provided in phases, without undue delay. Bloomreach shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Data Breach and shall keep Customer informed of all developments in connection with the Data Breach. Customer agrees that Bloomreach's obligation to notify the Data Breach is not an acknowledgement by Bloomreach of any fault or liability of Bloomreach with respect to such Data Breach. If a Data Breach is caused or materially contributed to by Customer, Bloomreach will reasonably cooperate in the investigation of the Data Breach subject to Customer's obligation to compensate Bloomreach for its reasonable costs.

4.3.2 Liability for Data Breaches. Bloomreach's liability for a Data Breach toward Customer and any third party is subject to the following limitations: (a) the Data Breach is a result of a breach of Bloomreach's information security obligations under this DPA; and (b) the Data Breach is not caused by: (i) acts or omissions of Customer, or any person acting on behalf of or jointly with Customer, including any Authorized Users (collectively "Customer Representatives"); or (ii) Customer Representatives' instructions to Bloomreach.


5. SUB-PROCESSING

5.1 Authorized Sub-processors. Customer provides a general authorization for Bloomreach to engage Sub-processors to Process Personal Data on Customer's behalf, including the Sub-processors listed in Annex 2 ("Sub-processor List"). Updated list of Sub-processors will always be available at https://www.bloomreach.com/en/legal/subprocessors and Bloomreach will be considered to have provided a notification on adding a new Subprocessor to Customer by publishing the Sub-processor´s name on the said link. Customer may also opt to receive notifications of new Sub-processors by emailing subnotification@bloomreach.com with the subject "Subscribe" and if a Customer contact subscribes, Bloomreach shall provide the subscriber with notification of new Sub-processor's. The Customer will have the right to object to addition of a new Sub-processor in accordance with Section 5.2 below. Bloomreach shall impose substantially the same data protection terms on any Sub-processor it appoints as contained in this DPA (including data transfer provisions, where applicable) and shall remain responsible for any acts or omissions of Sub-processor’s to the extent they cause Bloomreach to breach any of its obligations under this DPA.

5.2 Objections to Sub-processors. Bloomreach shall notify Customer if it adds or removes Sub-processors using the mechanism set out in Section 5.1 above. The Customer may object in writing to the appointment of such a new Sub-processor on reasonable grounds relating to data protection by notifying Bloomreach promptly in writing within 10 calendar days of receipt of Bloomreach's notice. Such notice shall explain the reasonable grounds for the objections. In such an event, the parties shall discuss Customer´s concerns in good faith with a view to achieving commercially reasonable resolution.


6. DATA TRANSFERS

6.1 International data transfers. Personal Data that Bloomreach Processes under the Agreement may be Processed in any country in which Bloomreach and its Sub-processors maintain facilities to perform the Services, as further detailed in the Sub-processor List. Bloomreach shall not participate in (nor permit any Sub-processors to participate in) any Restricted Transfers of Personal Data unless the Restricted Transfer is made in compliance with EU/ UK Data Protection Law and this DPA.

6.2 Application of Standard Contractual Clauses.

6.2.1 The Parties agree that when and to the extent the transfer of Personal Data from Customer to Bloomreach is a Restricted Transfer and EU/UK Data protection Law requires that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be incorporated by reference into and form an integral part of this DPA as follows.

6.2.2 In relation to transfers of Personal Data protected by GDPR the EU SCCs will apply with following modifications:

6.2.2.1 where Customer is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where Customer is a Processor acting on behalf of third party Controllers, Module 3 (Processor to Processor Clauses) will apply;

6.2.2.2 in Clause 7 (Docking Clause), the optional docking clause will apply;

6.2.2.3 in Clause 9 (Use of Sub-processors), Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Clause 5.2. of this DPA;

6.2.2.4 in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;

6.2.2.5 in Clause 17 (Governing Law), Option 1 will apply, and the EU SCCs will be governed by Dutch law;

6.2.2.6 in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Amsterdam, the Netherlands;

6.2.2.7 Annex I shall be deemed completed with the information set out in Annex 1 to this Agreement;

6.2.2.8 Annex II shall be deemed completed with the information set out in Annex 3 to this DPA.

6.2.3 In relation to transfers of Personal Data protected by UK GDPR or the Swiss DPA, the EU SCCs will also apply in accordance with Section 6.2.2. above, with the following modifications:

6.2.3.1 references to "Regulation (EU) 2016/679" shall be interpreted as references to UK GDPR or the Swiss DPA (as applicable);

6.2.3.2 references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK GDPR or the Swiss DPA (as applicable);

6.2.3.3 references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to the "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);

6.2.3.4 the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);

6.2.3.5 Clause 13(a) and Part C of Annex 1 are not used and the "competent supervisory authority" is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);

6.2.3.6 references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);

6.2.3.7 in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and

6.2.3.8 with respect to transfers to which UK GDPR apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring a legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

6.2.4 UK Transfers. To the extent that and for so long at the EU SCCs as implemented above, cannot be used to lawfully transfer Personal Data in compliance with the UK GDPR, the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers of Personal Data governed by the UK GDPR. Where this is the case, the relevant annexes, tables or appendices of the UK SCCs shall be populated using the relevant information contained in this DPA.

6.3 In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the appropriate Standard Contractual Clauses shall prevail to the extent of such conflict.

6.4 Alternative Transfer Mechanism. If Bloomreach adopts an alternative lawful data export mechanism for the transfer of Personal data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with EU/UK Data Protection Law and extends to the territories to which the relevant Personal Data is transferred) subject to Customer’s consent which cannot be unreasonably withheld.


7. LIMITATION OF LIABILITY

7.1 Limitation of Liability. To the maximum extent permitted by law, each party and its Affiliates' aggregate liability to the other party arising out of or in relation to this DPA (including the Standard Contractual Clauses), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability (including any agreed aggregate financial cap) set forth under the Agreement. For the avoidance of doubt, nothing in this DPA is intended to limit the rights a Data Subject may have against either Party arising out of such Party's breach of the Standard Contractual Clauses, where applicable.


8. MISCELLANEOUS

8.1 Third Party Beneficiaries. Data Subjects are the sole third party beneficiaries to the Standard Contractual Clauses, and there are no other third party beneficiaries to the Agreement and this DPA. Without prejudice to the foregoing, the Agreement and the terms of this DPA apply only to the Parties and do not confer any rights to any Customer’s Affiliate, Customer’s end user or any third-party Data Subjects.

8.2 Governing Law and Jurisdiction. This DPA shall be governed by and construed with governing law and jurisdiction provisions in the Agreement, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.

8.3 Scope of this DPA. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this DPA.

8.4 Term. This DPA will continue to be in effect for the term of the Agreement or any applicable Sales Order plus the period from expiry of the Agreement or Sales Order (as applicable) until Bloomreach ceases to process Personal Data on behalf of the Customer (the "Processing Term").

Annex 1

Description of the Processing 

 

Annex  1 (A) List of Parties: 

Customer

Bloomreach

Name: The entity identified as the "Customer" in the Agreement 

Name: The entity identified as Bloomreach in the Agreement 

Address:  The address for the Customer associated with its Bloomreach account or as otherwise specified in the Sales Order or Agreement.  

Address: ‌Bloomreach address specified in the Agreement. 

Contact Person's Name, position and contact details: The contact details associated with the Customer's Bloomreach account, or as otherwise specified in the Sales Order or Agreement. 

Contact Person's Name, position and contact details:  The contact details specified in the Agreement.

Activities relevant to the processing:  See Annex 1(B) below

Activities relevant to the processing: See Annex 1(B) below 

Role: Controller or Processor (as applicable)

Role: Processor or sub-processor (as applicable)

Role for the purpose of transfer under Clause 6 of the DPA: Data Exporter 

Role for the purpose of transfer under Clause 6 of the DPA: Data Importer

Signature and Date:  Subject to Clause 6 of the DPA, by using the Services to transfer Personal Data to Bloomreach located in a non-adequate country, the data exporter will be deemed to have signed this Annex 1. 

Signature and Date: Subject to Clause 6 of the DPA,  by transferring Personal Data to a non-adequate country on Customer's instruction, the data importer will be deemed to have signed this Annex 1. 

 

Annex 1(B) Description of Processing Bloomreach Engagement:   

Categories of data subjects whose Personal Data is processed:

Depending on the nature and scope of the Services purchased by the Customer, the Data Subjects may include: 

  • Visitors - any visitor to Customer’s website covered by the Services.

  • ‌End Customers – any existing or future ‌end-customer or prospect of Customer that visits Customer’s website  covered by the Services or whose personal data is otherwise uploaded by Customer to the Services. 

  • Permitted Users – any of Customer's employees‌ or other personnel, suppliers and other third parties who are authorized under the Agreement to use the Services.

Categories of Personal ‌‌Data processed : 

Depending on the ‌nature and scope of the Services, the Personal Data may include:

  • Permitted Users: identification and contact data (name, email address); IT related data (computer ID, user ID, password, IP address, log files).

  • Visitors and End Customers: tracking data with respect to a specific product, tracking and other data contained in the contact forms; information about the preferences of contacting and Customer’s services and limited location data (city); IP address; name, surname; gender; email address; login, information; time zone setting; operating system and platform; information about visits including the URL, the search terms, information about what the Customer viewed or searched on the Customer’s website, page response times; download errors, length of visits to certain pages, page interaction information, (such as scrolling, clicks, and mouse-overs) and the methods used to browse away from the page; activities of users browsing web pages.

Special categories of  data:

‌Bloomreach does not require ‌any special categories of‌ data in order to provide the Services and does not intentionally collect or process any special categories of ‌such data in connection with the provision of the Services. 

 

Frequency of the processing:

Continuous basis depending on the use of the Services. 

Nature of processing:

The nature of the Processing is the performance of the Services pursuant to the Agreement. 

Duration of the processing:  

The Processing Term.  

Purpose(s) of the data  processing: 

(i) Processing to provide, maintain, support and improve Services provided to Customer in accordance with the Agreement and applicable Sales Order; 

(ii) Processing initiated by Permitted Users in their use of the Services; and 

(iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g. via email) where such instructions are consistent with the terms of the Agreement (including this DPA). 

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: 

Customer determines the duration of the Processing in accordance with the terms of this DPA. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

As above. 

 

Other Bloomreach Services:

 

Categories of data subjects whose Personal Data is processed :

Depending on the nature of the Services purchased by the Customer, the Data Subjects may include: 

  • Permitted Users – any of Customer's employees‌ or other personnel, suppliers and other third parties who are authorized under the Agreement to use the Services.

  • Visitors - any visitor to a Site covered by the Services.

  • ‌End Customers – any existing or future ‌end-customer or prospect of Customer that visits a Site covered by the Services or whose personal data is otherwise uploaded by Customer to the Services. 

Categories of Personal ‌‌Data processed : 

Depending on the ‌nature of the Services, the Personal Data may include:

  • Permitted Users: identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility); IT related data (computer ID, user ID, password, IP address, log files).

  • Visitors: browsing and purchasing activity (including pages and/or products purchases, links clicked, searched performed, product category and order details). IP addresses, unique device level identifiers (such as an IDFA or Android Advertising ID), cookies data, online navigation data (including access date and times), location data, browser data language and any other Personal Data Customer configures the Services to collect.

  • ‌End Customers: tracking data with respect to a specific product, tracking and other data contained in the contact forms; information about the preferences of contacting and Customer’s services and limited location data (city); IP address; name, surname; gender; email address; login, information; time zone setting; operating system and platform; information about visits including the URL, the search terms, information about what the Customer viewed or searched on the Customer’s website, page response times; download errors, length of visits to certain pages, page interaction information, (such as scrolling, clicks, and mouse-overs) and the methods used to browse away from the page, and activities of users browsing web pages.

 

Special categories of  data:

‌Bloomreach does not require ‌any special categories of‌ data in order to provide the Services and does not intentionally collect or process any special categories of ‌such data in connection with the provision of the Services. 

 

Frequency of the transfer:

Continuous basis depending on the use of the Services. 

Nature of processing:

The nature of the Processing is the performance of the Services pursuant to the Agreement. 

Duration of the processing:  

The Processing Term.  

Purpose(s) of the data processing: 

(i) Processing to provide, maintain, support and improve Services provided to Customer in accordance with the Agreement and applicable Sales Order; 

(ii) Processing initiated by Permitted Users in their use of the Services; and 

(iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g. via email) where such instructions are consistent with the terms of the Agreement (including this DPA). 

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: 

Customer determines the duration of the Processing in accordance with the terms of this DPA. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

As above. 




 

Annex 1(C): Competent supervisory authority

The Customer's competent supervisory authority will be determined in accordance with the GDPR, where applicable. 

 

Annex 2: Approved Sub-processors

The list of approved sub-processors of Bloomreach is available at https://www.bloomreach.com/en/legal/subprocessors

 

Annex 3: Technical and organizational measures

The technical and organizational measures implemented by Bloomreach (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons are as follows:   


Security Measures – Bloomreach

As of the Effective Date of the Agreement, Bloomreach maintains the technical and organisational security measures as described in this Annex 3 to the DPA. This Annex 3 is hereby incorporated into this DPA and shall form an inseparable part of hereof.  Capitalized terms not otherwise defined shall have the meaning given to them in the DPA, MSA or the applicable Product Appendix.

For more details regarding our security measures, please refer to our SOC 2 (Type 1) Report (see sec. F below). 

  1. Access Control

Physical Access Control.  Bloomreach takes measures to prevent unauthorized persons from entering the premises in which data processing systems are stored and with which personal data are processed.

Technical Access Control. Bloomreach takes technical measures to prevent data processing systems from being used by unauthorized persons. These include authentication when accessing computers / systems using a user ID and password, as well as setting up firewalls.

Personnel Access Control. Bloomreach ensures that only authorized personnel can access contents and that personal data cannot be copied, changed or deleted without authorization during processing and use and after saving. When granting access rights to Bloomreach personnel working on the Customer’s project, Bloomreach follows the principle of least privilege to ensure that Customer Data is accessed only by personnel that need the access in order to provide the Services as ordered by the Customer. 

Penetration testing. In order to prevent any unauthorised attacks to our platform, Bloomreach maintains contractual relationships with penetration testing service providers. Through regular penetration testing Bloomreach can identify and resolve foreseeable attacks and possible abuse scenarios and thus prevent them.

  1. Organisational Measures

DPO. Bloomreach has a designated Data Protection Officer (DPO), Chief Information Security Officer (CISO) and a team of Security Engineers, as well legal professionals, to monitor and ensure compliance with GDPR and local laws. 

Personnel training.  Bloomreach organizes regular and obligatory whole company Security and GDPR trainings, as well as OWASP trainings to prevent Web Application Security Risks. During the onboarding process, the personnel are required to execute non-disclosure agreements.  During the course of engagement with Bloomreach, all personnel follow guidelines to ensure confidentiality, professional and ethical standards necessary to guarantee effective Customer Data protection. 

Remote Working Policy. Bloomreach personnel must act in compliance with further measures such as the Remote working policy (Endpoint Security Management, mandatory VPN, etc.), device secure setup and security awareness, strong passwords policy, two factor authentication process, etc. 

  1. Technical Measures

Transfer Control. Bloomreach prevents personal data from being read, copied, changed or deleted in an unauthorized way during electronic transmission, transport or storage on data media. This includes secure electronic transmission, VPN, firewalls, encryption, logging measures. 

Input control. Bloomreach ensures that it can be subsequently checked whether and by whom personal data have been entered, changed or deleted. This includes logging, user identification.

Availability control. Bloomreach ensures that personal data is protected against accidental destruction or loss. This includes the usual fire protection measures and overvoltage protection, backup concept, virus protection, clean coding.

Separation control. Bloomreach ensures that personal data collected for different purposes is processed separately. This includes separate customer accounts, separate databases, encryption methods.

Data Encryption. There are several layers of encryption of data. Data is encrypted in transit. 

TLS. Transport Layer Security (TLS) security protocol is used for communication within the app and web tracking.

Additional Technical Measures. Firewalls, logging, malware protection, security scans and other control mechanisms are in place to provide further technical security. 


  1. Security Development practices 

Bloomreach has the further following practices in place to ensure the security of the application: 

  • Clean coding and least privilege access granting for Bloomreach IT developers.

  • Monitoring traffic – Internal network traffic is regularly checked for any suspicious behaviour.

  • Vulnerability Management and penetration tests – Bloomreach conducts regular web scans and scans for potential threats.

  • Incident Management - Bloomreach has a well-defined incident management process for security events, including reporting, prioritization based on urgency, escalation and mitigation.

  • Business Continuity – Bloomreach regularly reviews all business-critical functions. 

  • Quality assurance – Bloomreach tests all new features before implementing them to the application.

  1. Further measures to protect Customer Data

Infrastructure. Bloomreach relies upon acknowledged hosting providers in the field, that (i) enable a multi-tenant, geographically distributed environment and a high availability infrastructure, (ii) comply with all data protection obligations as stipulated in applicable Data Protection Legislation. 

Control of Processors. Bloomreach ensures that personal data processed by Processors are processed in accordance with the instructions of Bloomreach and its customers. This includes control rights and data processing contracts according to the GDPR.

External Audit. Bloomreach is subject to external annual audit by an independent third-party licensed auditor to test, evaluate and confirm that the security measures are up-to-date, effective and functional. 


  1. Certification

Bloomreach currently maintains the following certifications: 

More information available at:

 https://www.bloomreach.com/en/legal/security

Bloomreach also holds a SOC 2 (Type 1) Report. This contains specifics pertaining to security measures and can be provided under a non-disclosure agreement.      

Bloomreach reserves the right to replace any security measures with an equivalent or enhanced alternative at any time during the Term of the Agreement that ensure equal data security and measures in compliance with state of the art security standards applicable in the field.