Last Updated 20th August 2024
This Jewelrybox.ai Data Processing Agreement, including its Annexes A, B, and C (“DPA”), is between Jewelrybox.ai (“Jewelrybox”) and the entity executing this agreement as the Customer (“Customer”). This DPA outlines the parties' agreement regarding the Processing of Personal Data by Jewelrybox.ai on behalf of the Customer in connection with the Service under the contemporaneously-executed Terms of Service agreement between the parties (“Agreement”).
This DPA is an integral part of the Agreement and becomes effective upon execution or as otherwise specified in the Agreement, an Order, or an executed amendment to the Agreement. In the event of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency and will supersede any previous DPA.
1. Definitions
CCPA: California Civil Code Sec. 1798.100 et seq. as amended (California Consumer Privacy Act of 2018), including the California Privacy Rights Act amendments.
California Personal Information: Personal Data subject to the protection of the CCPA.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process, and Processing: As defined in Data Protection Laws.
Customer Personal Data: Information relating to an identified or identifiable individual within Customer Data under the Agreement, protected as personal data under applicable Data Protection Laws.
Data Protection Laws: Applicable worldwide legislation relating to data protection and privacy applicable to the Processing of Personal Data under the Agreement.
Europe: European Union, European Economic Area, their member states, Switzerland, and the United Kingdom.
European Data: Personal Data subject to European Data Protection Laws
.European Data Protection Laws: Data protection laws applicable in Europe, including GDPR, Directive 2002/58/EC, and applicable national implementations.
GDPR: General Data Protection Regulation ((EU) 2016/679) and the retained UK version.
Standard Contractual Clauses: Standard contractual clauses in the European Commission’s Decision (EU) 2021/914.
UK Addendum: International Data Transfer Addendum by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018.
2. Compliance
Both parties will comply with all applicable requirements of Data Protection Laws. This schedule is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Data Protection Laws.
3. Controller/Processor
For Data Protection Laws purposes, Jewelrybox.ai will process Customer Personal Data as a processor on behalf of the Customer, who may be either a Controller or Processor.
4. Consents
The Customer will ensure all necessary consents and notices are in place for lawful transfer of Customer Personal Data to Jewelrybox.ai and its lawful collection using Jewelrybox.ai Services, indemnifying Jewelrybox.ai against losses due to failure in this regard.
5. Nature, Scope, Purpose of Processing, and Data Subjects
Annex A details the scope, nature, and purpose of Customer Personal Data Processing by Jewelrybox.ai, including the duration, types of Customer Personal Data, and categories of Data Subjects.
6. Customer Instructions
Jewelrybox shall process Customer Personal Data only on documented instructions of the Customer unless required otherwise by applicable laws. The Agreement and DPA are deemed Customer's instructions; additional instructions may be agreed upon.
7. Jewelrybox.ai Obligations
Implement appropriate measures to protect Customer Personal Data from breaches (Annex B).
Ensure personnel processing Customer Personal Data are committed to confidentiality.
Assist the Customer in responding to Data Subject requests and compliance obligations under Data Protection Laws.
Notify the Customer promptly of Personal Data Breaches.
On Customer's direction, delete or return Customer Personal Data upon Agreement termination unless required to retain by law.
For European Data, assist in GDPR compliance, provide necessary information for audits, and maintain compliance records.
8. Service Provider under CCPA
If CCPA applies, Customer is a “business” and Jewelrybox a “service provider.” Jewelrybox.ai will not retain, use, or disclose California Personal Information beyond Agreement performance or as permitted by CCPA.
9. Subprocessors
Customer authorizes Jewelrybox to appoint Processors for Customer Personal Data, with Jewelrybox ensuring compliance and remaining responsible for their acts and omissions. Jewelrybox.ai will notify customers of any changes to Sub-Processors (Annex C).
10. European Data: Transfer Mechanisms and Standard Contractual Clauses
a. Transfer Compliance: Jewelrybox.ai will not transfer European Data to countries or recipients not recognized as providing adequate protection for Personal Data (as defined by applicable European Data Protection Laws), unless measures ensuring compliance with these laws are in place. These measures may include transferring Personal Data to recipients covered by recognized frameworks or legally adequate transfer mechanisms, recipients with binding corporate rules authorization, or recipients who have executed appropriate standard contractual clauses, all in accordance with European Data Protection Laws.
b. Acknowledgement and Incorporation of Standard Contractual Clauses:
- EEA Transfers: For European Data under GDPR:
- Customer is the "data exporter" and Jewelrybox.ai is the "data importer".
- Module Two terms apply if the Customer is a Controller; Module Three terms apply if the Customer is a Processor of European Data.
- Clause 7's optional docking clause is applicable.
- Clause 9, Option 2 applies; changes to Sub-Processors will be notified as per the 'Sub-Processors' section of this DPA.
- Optional language in Clause 11 is omitted.
- Clauses 17 and 18: Governing law and dispute resolution will be under the Republic of Ireland's jurisdiction.
- Annexes of the Standard Contractual Clauses are completed with information from this DPA's Annexes.In case of conflict, Standard Contractual Clauses prevail over this DPA.
UK Transfers: For European Data under UK GDPR:
- Standard Contractual Clauses are modified and interpreted in line with the UK Addendum.
- Tables 1, 2, and 3 of the UK Addendum are completed with information from this DPA's Annexes; Table 4 selects "neither party".
- Conflicts between Standard Contractual Clauses and the UK Addendum are resolved as per Sections 10 and 11 of the UK Addendum.
Swiss Transfers: For European Data under the Swiss DPA:
- References to "Regulation (EU) 2016/679" are interpreted as references to the Swiss DPA.
- References to "EU", "Union", and "Member State law" are interpreted as references to Swiss law.
- References to "competent supervisory authority" and "competent courts" are replaced with "the Swiss Federal Data Protection and Information Commissioner" and "relevant courts in Switzerland".
c. Compliance and Remediation: If Jewelrybox.ai cannot comply with the Standard Contractual Clauses or breaches any warranties under these clauses or the UK Addendum, and the Customer intends to suspend or terminate the transfer of European Data, the Customer will provide reasonable notice to Jewelrybox.ai to cure the non-compliance. Jewelrybox.ai will cooperate to identify potential safeguards to remedy non-compliance. If non-compliance is not or cannot be cured, the Customer may suspend or terminate the affected part of the Service in accordance with the Agreement without liability (excluding fees incurred prior to suspension or termination).
11. Amendments:
Jewelrybox.ai reserves the right to update this DPA, including changes in Data Protection Laws and revisions to security provisions, provided that such updates do not materially reduce the overall security level for Customer Personal Data.
ANNEX A - Details of Processing
A. List of Parties
Data exporter:
- Name: You, as defined in Jewelrybox.ai’s Terms of Service
- Address: Your address as specified by your Platform Account
- Contact person’s name, position, and contact details: Your contact details, as specified by your Platform Account
- Activities relevant to the data transferred under these Clauses: Performance of the Agreement between the parties as a Controller.
- Role (controller/processor): Controller or Processor
C. Competent Supervisory Authority:
- Authority: The supervisory authority will be determined in accordance with the Transfer Mechanisms for Data Transfers section of this DPA.
ANNEX B - Technical and Organizational Security Measures
ANNEX C – Subprocessors
