Privacy
CONFIDENTIAL INFORMATION SCHEDULE
1. Confidentiality and Use. The Receiving Party shall and shall cause its Permitted Recipients to:
1.1 Protect, keep and treat the Confidential Information of the Disclosing Party in strict confidence and with at least the same degree of care as it (or any third party to which it discloses the Confidential Information) would use to protect its own Confidential Information, but in no event with less than a reasonable degree of care;
1.2 Unless with the prior written consent of the Disclosing Party, not disclose any Confidential Information of the Disclosing Party, whether directly or indirectly, to any person other than the Permitted Recipients who (i) have been informed of its confidential nature, (ii) are subject to confidentiality obligations, or are under a general duty of confidence, to the Receiving Party that are no less onerous than the terms and conditions of this Confidential Information Schedule, and (iii) need to know the Confidential Information for the Purpose;
1.3 Not use or exploit the Disclosing Party’s Confidential Information in any way except in the manner and to the extent necessary for the Purpose;
1.4 Not reverse engineer, disassemble, decompile, or design around the Disclosing Party’s proprietary services, products, and/or confidential intellectual property;
1.5 Not copy, reduce to writing or otherwise record the Confidential Information of the Disclosing Party, in whole or in part, except to the extent necessary for the Purpose; any such copies reductions to writing or records shall be the property of the Disclosing Party or, as the case may be, the Disclosing Party’s licensors and clearly identify them as proprietors; and
1.6 Promptly notify the Disclosing Party of any actual or suspected unauthorized use or disclosure of Confidential Information of the Disclosing Party, of which the Receiving Party becomes aware.
2. Disclosure by Etail Depot. Notwithstanding the above in this Confidential Information Schedule, Retailer hereby authorizes Etail Depot and Etail Depot shall have a right to use any information and documents Etail Depot receives under this Agreement or otherwise obtains in connection with this Agreement or in performing the Services, including the know-your-customer information, as required by Etail Depot: (i) in order to provide the Services and perform its undertakings under this Agreement, Applicable Law and the Rules; (ii) in connection with the review of Retailer’s compliance with the provisions of this Agreement; (iii) for use in any fraud prevention program for the purpose of assisting in identifying merchants/retailers involved in, amongst other things, fraud or suspected fraud, insolvency, breach of agreement and such matter which would assist Etail Depot in its efforts to prevent fraud; (iv) as requested by a Provider (all of which shall have the right to use Retailer’s Confidential Information provided that Etail Depot has an agreement with such Provider with terms governing confidentiality); (v) for the purpose of disclosure to law enforcement bodies where fraud or other criminal activity is suspected; or (vi) as requested by any Regulator or other competent authority (all of which shall have the right to use Retailer’s Confidential Information). The aforementioned authorization shall also apply to disclosure and transfer to the following third parties: (1) any Provider and/or Marketplace; (2) any third party to which Etail Depot assigns, novates or transfers its rights and/or responsibilities under this Agreement (or considers doing any of the aforementioned); or (3) Retailer’s agent/reseller (where applicable) as long as these third parties (a) have been informed of its confidential nature of the information shared, (b) are subject to confidentiality obligations, or are under a general duty of confidence, to Etail Depot that are no less onerous than the terms and conditions of this Confidential Information Schedule, and (c) need to know the Retailer’s Confidential Information for the Purpose.
3. Exclusions. The confidentiality obligations set forth herein shall not apply to such information which (i) is or becomes part of the public domain without direct or indirect fault or breach on the part of the Receiving Party; (ii) was previously known to Receiving Party prior to being disclosed pursuant to this Agreement; (iii) is disclosed to the Receiving Party by a third party without an obligation to keep it confidential, as can be substantiated by written records; or (iv) is independently developed by or for the Receiving Party who have not had any direct or indirect access to, use of, or knowledge of the Disclosing Party’s Confidential Information, as can be substantiated by written records.
4. Mandatory Disclosure. Subject to the provisions of this Section 4, the Receiving Party or its Permitted Recipients may disclose the Confidential Information to the minimum extent required by (i) an order of any court of competent authority or Regulator; (ii) the rules of any listing authority or stock exchange on which its shares or those of any of its Affiliates are listed or traded; or (iii) the Applicable Laws of any country to which its affairs or those of any of its Affiliates are subject. Before making any such disclosure the Receiving Party shall and shall procure that its Permitted Recipients shall to the extent permitted by Applicable Law give the Disclosing Party as much written notice as possible as well as reasonable assistance so that the Disclosing Party may at its sole expense oppose such disclosure or seek a protective order or other limitations on disclosure. Where notice of such disclosure is not prohibited and is given in accordance with this Section 4, the Receiving Party shall take into account the reasonable requests of the Disclosing Party in relation to the content of this disclosure. If the Receiving Party is unable to inform the Disclosing Party before Confidential Information is disclosed pursuant to this Section 4, it shall, to the extent permitted by Applicable Law, inform the Disclosing Party of the full circumstances of the disclosure and the information that has been disclosed as soon as reasonably practicable after such disclosure has been made. Notwithstanding any provision of this Confidential Information Schedule to the contrary, the Receiving Party shall continue to treat any Confidential Information of the Disclosing Party disclosed under this Section 4 as confidential.
5. Disclosures in Ordinary Course of Business. Notwithstanding any other provision of this Confidential Information Schedule, no prior notice or other action shall be required in respect of any disclosure of Confidential Information made to any Regulator, banking, financial, accounting, securities or similar supervisory authority exercising its routine supervisory or audit functions, provided that such disclosure is made in the ordinary course and is not specific to the Disclosing Party, the Confidential Information or the Purpose.
6. Remedies. The Receiving Party understands that any breach of this Confidential Information Schedule may cause immediate and irreparable harm to the Disclosing Party which monetary damages may not adequately remedy. Accordingly, in addition to any other right or remedy that each Party may have, the Disclosing Party shall be entitled to seek equitable relief, including injunctive relief and specific performance, in the event of a breach or threatened breach of this Confidential Information Schedule.
7. Destruction or Return. Upon termination or expiry of the Agreement, at the Disclosing Party’s written request, the Receiving Party shall and shall procure that its Permitted Recipients shall, promptly return to the Disclosing Party or destroy all copies of the Disclosing Party’s Confidential Information. Notwithstanding the foregoing, the Receiving Party and its Permitted Recipients may retain copies of Confidential Information in accordance with its and their respective bona fide internal record retention policies for legal, compliance or regulatory purposes, and copies of computer records and files containing Confidential Information that have been created pursuant to automatic electronic archiving and back-up procedures until such computer records and files have been deleted in the ordinary course. The Receiving Party and its Permitted Recipients shall continue to be bound by the terms and conditions of this Confidential Information Schedule with respect to such retained Confidential Information.
8. Prohibited Trading. In their evaluation of the Confidential Information, Retailer and its Permitted Recipients may have access to material non-public information concerning publicly-listed entities, including Affiliate(s) of Etail Depot, on the TSX and NASDAQ. Retailer acknowledges that it and its Permitted Recipients are aware that applicable securities laws prohibit any person who has privileged information about a publicly-listed entity from trading in its securities or changing an economic interest in a related financial instrument, or from disclosing such information to any other person, subject to limited exemptions.
9. Reservation of Rights. Each Party reserves all rights in its Confidential Information. The disclosure of Confidential Information by the Disclosing Party does not give the Receiving Party or any other person any express or implied license or other right in respect of any Confidential Information or in any proprietary product or Mark owned or controlled by the Disclosing Party beyond the rights expressly set out in the Agreement.
10. Term. The provisions of this Confidential Information Schedule shall survive the termination or expiry of the Agreement.
11. Prior NDA. To the extent the Parties have previously entered into a nondisclosure agreement (“Prior NDA”), this Agreement supersedes the Prior NDA, the Prior NDA is hereby terminated as of the Effective Date, and all non-public, confidential or proprietary information disclosed pursuant to the Prior NDA shall be Confidential Information under this Agreement.
12. Definitions. For purposes of this Confidential Information Schedule, the following defined terms apply:
12.1 “Confidential Information” shall mean all non-public, confidential or proprietary information disclosed before, on or after the Effective Date, by or on behalf of the Disclosing Party to the Receiving Party or its Permitted Recipients, in any form, whether or not identified as "confidential,"
including: (i) all information concerning the past, present, and future business affairs of the Disclosing Party, its Affiliates, Bank, Providers, and their customers, suppliers, and any other third parties, including, without limitation, information concerning finances, customers, suppliers, products, services, organizational structure, internal practices, forecasts, sales, financial results, financial records, budgets, and business, marketing, development, sales, and other commercial strategies; (ii) any inventions, ideas, methods, discoveries, trade secrets, know-how, patent applications and any other intellectual property rights, in each case whether registered or not; (iii) all designs, specifications, models documentation, components, software, hardware, techniques, source code, network, security architecture, product information, reports and documentation, inventions, know-how, trade secrets, structural, scientific, technical, intellectual, algorithmic, pricing data, market reports and other business affairs, object codes, images, icons, audio-visual components and objects, schematics, drawings, protocols, processes, and other visual depictions, in whole or in part, of any of the foregoing; (iv) any third-party confidential information included with, or incorporated in, any information provided by the Disclosing Party to the Receiving Party or its Permitted Recipients, including in the case of Etail Depot information of financial institutions, acquirers, banks, alternative payment methods providers and/or payment schemes included in Etail Depot’s disclosures or offerings; and (v) all notes, analyses, compilations, reports, forecasts, studies, samples, data, statistics, summaries, interpretations, and other materials prepared by or for the Receiving Party or its Permitted Recipients that contain, are based on, or otherwise reflect or are derived from, in whole or in part, any of the foregoing. Confidential Information shall not include information that: (a) was known to the Receiving Party or its Permitted Recipients at the time of its disclosure hereunder; (b) is, was or becomes available to the Receiving Party on a non-confidential basis from a third party, provided that such third party is not or was not prohibited from disclosing such Confidential Information by any obligation or duty of confidentiality to the Disclosing Party; (c) was or is independently developed by the Receiving Party or its Permitted Recipients, without reference to or use of the Confidential Information or other breach of the Confidential Information Schedule, as established by documentary evidence; (d) at the time of disclosure is or thereafter becomes publicly known, other than through a breach of the Confidential Information Schedule by the Receiving Party or its Permitted Recipients; or (e) the parties agree in writing that the information is not confidential.
12.2 “Disclosing Party” means the Party disclosing Confidential Information.
12.3 “Permitted Recipients” means the Receiving Party’s Affiliates, and the Receiving Party’s and its Affiliates’ respective officers, directors, employees, advisers, agents, suppliers or service providers to whom disclosure of Confidential Information is necessary strictly for the Purpose.
12.4 “Receiving Party” means the Party receiving Confidential Information.
DATA PROTECTION SCHEDULE
1. Compliance with Data Protection Law
1.1 Each Party shall comply with the Data Protection Law as it applies to Personal Data processed under this Agreement. The undertaking in this Section 1.1 of this Data Protection Schedule is in addition to, and does not relieve, remove, or replace, a Party’s obligations under the Data Protection Law.
1.2 The Parties shall not engage in any of the following conduct:
1.2.1 Use the other Party’s Personal Data for any purpose other than for the Purpose;
1.2.2 Disclose the other Party’s Personal Data to any third party, except to comply with Applicable Law, or otherwise agreed in writing with the other Party; or
1.2.3 Make copies of the other Party’s Personal Data, other than as is necessary for the Purpose or in order to comply with any Applicable Law.
1.3 Etail Depot acknowledges that the restrictions in Section 1.2 of this Data Protection Schedule include, without limitation:
1.3.1 Use of Retailer’s Personal Data (in whole or in part) for any profiling, marketing, matching or data enhancement whether in its original form or by way of aggregation or anonymization; and
1.3.2 Disclosure of Retailer’s Personal Data to any third-party Controller without the express consent of Retailer.
1.4 Upon termination or expiry of this Agreement, Etail Depot shall (at Retailer’s request) destroy or return to Retailer Personal Data in its possession or control and delete existing copies (subject to any legal obligations on Retailer to keep the relevant Personal Data longer). Etail Depot shall (at Retailer’s request) provide Retailer with written confirmation of destruction/deletion of the relevant Personal Data.
2. Data Processing
2.1 The Parties agree and acknowledge that for the purpose of Data Protection Laws, Retailer will be acting as a data Controller and Etail Depot will be acting as a data Processor in respect of the Personal Data that is the subject of this Agreement.
2.2 Retailer is solely and wholly responsible for establishing and maintaining the lawful basis for the processing of Personal Data by Etail Depot under this Agreement in order to fulfil its obligations and with respect to including (where applicable) the obtaining of all necessary consents from Data Subjects.
2.3 A description of the data processing carried out by Etail Depot under this Agreement is set out in Part 1 of the Appendix to this Data Protection Schedule.
2.4 Retailer acknowledges that aggregated, anonymized data may be created based on Personal Data; provided that Data Subjects are not identifiable from this data. This data may be used and or shared with third parties for the purposes of billing, product enablement and build, testing or product improvement and for the purposes of replying to requests from public authorities.
2.5 Retailer agrees to: (i) ensure that all staff are appropriately trained in line with their responsibilities under applicable Data Protection Law; and (ii) immediately notify Etail Depot if Retailer reasonably believes that there has been or may be a security breach of its systems including, but not limited to, instances of unauthorized access or attempts to access Transaction data or End User Data and instances where there is suspected or confirmed damage, loss or theft of Transaction data or End User Data.
2.6 Etail Depot has appointed a Data Protection Officer in accordance with Data Protection Laws. Accordingly, data protection enquiries should be addressed to Etail Depot’s Data Protection Officer at DPO@Etail Depot.com.
2.6.1 Each Party shall not do or omit to do, or cause or permit anything to be done or omitted to be done, which may reasonably be expected to cause or otherwise result in a loss, alteration, theft and/or abuse of Personal Data and/or a breach of the Data Protection Laws by Retailer, Etail Depot, Providers or others.
2.7 In respect of the Personal Data processed by Etail Depot as a data Processor acting on behalf of Retailer under this Agreement, Etail Depot shall:
2.7.1 Process the Personal Data only on Retailer’s written instructions, for compliance with Applicable Laws to which Etail Depot is subject (in which case it shall, if permitted by such Applicable Laws, promptly notify Retailer of that requirement before processing), and where processing is necessary for the purposes of the legitimate interests pursued by Etail Depot, including the prevention of fraud and the maintenance of information security (except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, or where the Data Subject is a child);
2.7.2 Ensure that it has in place appropriate technical and organizational measures to protect against unauthorized, unlawful or accidental processing, including accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, such measures in each case to be appropriate to the likelihood and severity of harm to Data Subjects that might result from the unauthorized, unlawful or accidental processing, having regard to the state of technological development and the cost of implementing any measures;
2.7.3 Ensure that persons engaged in the processing of Personal Data are bound by appropriate confidentiality obligations;
2.7.4 Keep a record of the processing it carries out, and ensure the same is accurate;
2.7.5 Comply promptly with any lawful request from Retailer requesting access to, copies of, or the amendment, transfer or deletion of the Personal Data to the extent the same is necessary to allow Retailer to fulfil its own obligations under the Data Protection Law, including Retailer’s obligations arising in respect of a request from a Data Subject; 2.7.6 Notify Retailer promptly if it receives any complaint, notice or communication (whether from a Data Subject, competent authority or otherwise) relating to the processing, the Personal Data or to either Party’s compliance with the Data Protection Law as it or they relate to this Agreement, and provide Retailer with reasonable co-operation, information and other assistance in relation to any such complaint, notice or communication;
2.7.7 Notify Retailer promptly if, in its opinion, an instruction from Retailer infringes any Data Protection Law (provided always that Retailer acknowledges that it remains solely responsible for obtaining independent legal advice regarding the legality of its instructions) or Etail Depot is subject to legal requirements that would make it unlawful or otherwise impossible for Etail Depot to act according to Retailer’s instructions or to comply with Data Protection Law;
2.7.8 Ensure in each case that prior to the processing of any Personal Data by any sub-processor, terms equivalent to the terms set out in this Data Protection Schedule are included in a written contract between Etail Depot and any sub-processor engaged in the processing of the Personal Data;
2.7.9 Retailer hereby authorizes the appointment by Etail Depot of each of the sub-processors (or categories of sub-processors as the case may be) that are listed in Part 2 of the Appendix to this Data Protection Schedule, and to the extent this authorization is in respect of a category of sub-processors, Etail Depot shall inform Retailer of any intended changes concerning the addition or replacement of other categories of sub-processors;
2.7.10 Subject to the terms hereof, the transfer of Personal Data may take place worldwide. If the legal grounds upon which adequate protection for the transfer of Personal Data is based ceases to be valid, Etail Depot will work with Retailer to put in place an alternative solution. Retailer acknowledges that Etail Depot may disclose the Personal Data to any applicable sub-processor, including Bank and any Affiliate, APMP and Payment Scheme, and their respective sub-processors, and such other Providers or entities to which it may be reasonably necessary to disclose and transfer Personal Data, including the competent Regulators, law enforcement authorities and anti-terrorism or organized crime agencies to whom it is necessary to disclose data.
2.7.11 Inform Retailer promptly if any Personal Data processed under this Agreement is lost or destroyed or becomes damaged, corrupted, or unusable or is otherwise subject to unauthorized or unlawful processing including unauthorized or unlawful access or disclosure;
2.7.12 Inform Retailer if it receives a request from a Data Subject for access to that person’s Personal Data and shall:
(i) Promptly provide Retailer with reasonable co-operation and assistance in relation to such request; and
(ii) Not disclose the Personal Data to any Data Subject (or to any third party) other than at the request of Retailer or as otherwise required under this Agreement;
2.7.13 Provide reasonable assistance to Retailer in responding to requests from Data Subjects and complying with its obligations under Data Protection Law with respect to security, breach notifications, data protection impact assessments and consultations with Regulators;
2.7.14 Delete or return to Retailer the Personal Data at the end of the duration of the processing described in Part 1 of the Appendix to this Data Protection Schedule, including any and all copies thereof, other than copies of Personal Data for which Etail Depot is compelled by Applicable Law to maintain, including, but not limited to obligations arising from measures aimed at combatting money laundering and the financing of terrorism;
2.7.15 Subject to any applicable confidentiality obligations, make available to Retailer such information as is reasonably required to demonstrate Etail Depot’s compliance with this Data Protection Schedule and, subject to any other conditions set out in this Agreement, allow for and contribute to audits, including inspections, of compliance with this Data Protection Schedule conducted by Retailer or a professional independent auditor engaged by Retailer. The following requirements apply to any audit:
(i) Retailer must give a minimum thirty (30) days’ notice of its intention to audit;
(ii) Retailer may exercise the right to audit no more than once in any calendar year;
(iii) Commencement of the audit shall be subject to agreement with Etail Depot on a scope of work at least ten (10) days in advance;
(iv) Etail Depot may restrict access to certain parts of its facilities and certain records where such restriction is necessary for confidentiality purposes;
(v) The audit shall not include penetration testing, vulnerability scanning, or other security tests;
(vi) The right to audit does not include the right to inspect, copy or otherwise remove any records, other than those that relate specifically and exclusively to Retailer;
(vii) Any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Etail Depot prior to the audit; and
(viii) Retailer shall compensate Etail Depot for its reasonable costs (including for the time of its personnel, other than the Retailer relationship manager) incurred in supporting any audit.
2.8 For purposes of this Data Protection Schedule, the following defined terms apply:
2.8.1 “Controller” has the meaning set forth in the Data Protection Law.
2.8.2 “Data Subject” means an individual who is the subject of Personal Data.
2.8.3 “Process” and “Processor” have the meanings given to them in the Data Protection Law.
Appendix to the Data Protection Schedule
Part 1 – Description of the Processing
Part 2 – Authorized Sub-Processors and Categories of Sub-Processor
PROHIBITED ACTIVITY LIST SCHEDULE
Retailer agrees that Retailer will not knowingly, which includes where an employee acts in the course of his/her duties, at any time conduct Retailer’s business in any manner that directly or indirectly offers, sells, leases, licenses or displays, delivers, advertises, recommends, performs or promotes any product(s), service(s), data, information, image(s), text and/or any content which:
1. is associated with:
1.1 any form of adult, sexually oriented, or obscene materials or services, including without limitation, any material clearly designed to sexually arouse the viewer/reader (e.g., books, text, photos, videos, X-rated movies, pornographic materials, etc.), any materials which require individuals to be of a certain age to view or purchase those materials, escort services, and adult websites;
1.2 any form of unlawful gambling, wagering, sports book products or services, or lottery type services not affiliated with a government-run lottery service, including regulated iGaming except where specifically permitted and regulated by the government in the applicable territory;
1.3 the sale of any controlled drug or illicit substance (including but not limited to cannabis), electronic cigarettes (i.e., “e-cigarettes”), vapes or any similar product or real-world firearms or weapons;
1.4 any illegal activity, including any illegal telecommunications or cable television equipment;
2. infringes on any patent, trademark, trade secret, copyright, right of publicity, or other proprietary right of any party, including, but not limited to, the unauthorized copying and posting of trademarks, pictures, logos, software, articles, musical works and videos;
3. could damage the goodwill or reflect negatively on Bank or any Provider or Etail Depot brands;
4. is threatening, abusive, harassing, defamatory, obscene, libelous, slanderous, deceptive, fraudulent, invasive of another’s privacy, or tortuous;
5. victimizes harasses, degrades, or intimidates an individual or group of individuals on the basis of religion, gender, sexual orientation, race, ethnicity, age, or disability;
6. impersonates any person or entity;
7. contains harmful content, including, without limitation, software viruses, Trojan horses, worms, time bombs, cancel bots, spy-ware, or any other files, software programs, or technology that is designed or intended to disrupt, damage, surreptitiously intercept or expropriate Services provided by Etail Depot or any system, program, data or personal information or limit the functioning of any software, hardware, or equipment or to damage or obtain unauthorized access to any data or other information of any third party;
8. causes an unusual number of API calls to be made to the Platform (in website, application and other available formats) resulting in disruption to or denial of the Etail Depot Services;
9. violates any international export or import laws, including, without limitation, the United States Export Administration Act and the United States Export Administration Regulations maintained by the United States Department of Commerce; or
10. offers or disseminates fraudulent products, services, schemes, or promotions (i.e., make money fast schemes, chain letters, pyramid schemes) or engage in any unfair deceptive act or practice.
1. Confidentiality and Use. The Receiving Party shall and shall cause its Permitted Recipients to:
1.1 Protect, keep and treat the Confidential Information of the Disclosing Party in strict confidence and with at least the same degree of care as it (or any third party to which it discloses the Confidential Information) would use to protect its own Confidential Information, but in no event with less than a reasonable degree of care;
1.2 Unless with the prior written consent of the Disclosing Party, not disclose any Confidential Information of the Disclosing Party, whether directly or indirectly, to any person other than the Permitted Recipients who (i) have been informed of its confidential nature, (ii) are subject to confidentiality obligations, or are under a general duty of confidence, to the Receiving Party that are no less onerous than the terms and conditions of this Confidential Information Schedule, and (iii) need to know the Confidential Information for the Purpose;
1.3 Not use or exploit the Disclosing Party’s Confidential Information in any way except in the manner and to the extent necessary for the Purpose;
1.4 Not reverse engineer, disassemble, decompile, or design around the Disclosing Party’s proprietary services, products, and/or confidential intellectual property;
1.5 Not copy, reduce to writing or otherwise record the Confidential Information of the Disclosing Party, in whole or in part, except to the extent necessary for the Purpose; any such copies reductions to writing or records shall be the property of the Disclosing Party or, as the case may be, the Disclosing Party’s licensors and clearly identify them as proprietors; and
1.6 Promptly notify the Disclosing Party of any actual or suspected unauthorized use or disclosure of Confidential Information of the Disclosing Party, of which the Receiving Party becomes aware.
2. Disclosure by Etail Depot. Notwithstanding the above in this Confidential Information Schedule, Retailer hereby authorizes Etail Depot and Etail Depot shall have a right to use any information and documents Etail Depot receives under this Agreement or otherwise obtains in connection with this Agreement or in performing the Services, including the know-your-customer information, as required by Etail Depot: (i) in order to provide the Services and perform its undertakings under this Agreement, Applicable Law and the Rules; (ii) in connection with the review of Retailer’s compliance with the provisions of this Agreement; (iii) for use in any fraud prevention program for the purpose of assisting in identifying merchants/retailers involved in, amongst other things, fraud or suspected fraud, insolvency, breach of agreement and such matter which would assist Etail Depot in its efforts to prevent fraud; (iv) as requested by a Provider (all of which shall have the right to use Retailer’s Confidential Information provided that Etail Depot has an agreement with such Provider with terms governing confidentiality); (v) for the purpose of disclosure to law enforcement bodies where fraud or other criminal activity is suspected; or (vi) as requested by any Regulator or other competent authority (all of which shall have the right to use Retailer’s Confidential Information). The aforementioned authorization shall also apply to disclosure and transfer to the following third parties: (1) any Provider and/or Marketplace; (2) any third party to which Etail Depot assigns, novates or transfers its rights and/or responsibilities under this Agreement (or considers doing any of the aforementioned); or (3) Retailer’s agent/reseller (where applicable) as long as these third parties (a) have been informed of its confidential nature of the information shared, (b) are subject to confidentiality obligations, or are under a general duty of confidence, to Etail Depot that are no less onerous than the terms and conditions of this Confidential Information Schedule, and (c) need to know the Retailer’s Confidential Information for the Purpose.
3. Exclusions. The confidentiality obligations set forth herein shall not apply to such information which (i) is or becomes part of the public domain without direct or indirect fault or breach on the part of the Receiving Party; (ii) was previously known to Receiving Party prior to being disclosed pursuant to this Agreement; (iii) is disclosed to the Receiving Party by a third party without an obligation to keep it confidential, as can be substantiated by written records; or (iv) is independently developed by or for the Receiving Party who have not had any direct or indirect access to, use of, or knowledge of the Disclosing Party’s Confidential Information, as can be substantiated by written records.
4. Mandatory Disclosure. Subject to the provisions of this Section 4, the Receiving Party or its Permitted Recipients may disclose the Confidential Information to the minimum extent required by (i) an order of any court of competent authority or Regulator; (ii) the rules of any listing authority or stock exchange on which its shares or those of any of its Affiliates are listed or traded; or (iii) the Applicable Laws of any country to which its affairs or those of any of its Affiliates are subject. Before making any such disclosure the Receiving Party shall and shall procure that its Permitted Recipients shall to the extent permitted by Applicable Law give the Disclosing Party as much written notice as possible as well as reasonable assistance so that the Disclosing Party may at its sole expense oppose such disclosure or seek a protective order or other limitations on disclosure. Where notice of such disclosure is not prohibited and is given in accordance with this Section 4, the Receiving Party shall take into account the reasonable requests of the Disclosing Party in relation to the content of this disclosure. If the Receiving Party is unable to inform the Disclosing Party before Confidential Information is disclosed pursuant to this Section 4, it shall, to the extent permitted by Applicable Law, inform the Disclosing Party of the full circumstances of the disclosure and the information that has been disclosed as soon as reasonably practicable after such disclosure has been made. Notwithstanding any provision of this Confidential Information Schedule to the contrary, the Receiving Party shall continue to treat any Confidential Information of the Disclosing Party disclosed under this Section 4 as confidential.
5. Disclosures in Ordinary Course of Business. Notwithstanding any other provision of this Confidential Information Schedule, no prior notice or other action shall be required in respect of any disclosure of Confidential Information made to any Regulator, banking, financial, accounting, securities or similar supervisory authority exercising its routine supervisory or audit functions, provided that such disclosure is made in the ordinary course and is not specific to the Disclosing Party, the Confidential Information or the Purpose.
6. Remedies. The Receiving Party understands that any breach of this Confidential Information Schedule may cause immediate and irreparable harm to the Disclosing Party which monetary damages may not adequately remedy. Accordingly, in addition to any other right or remedy that each Party may have, the Disclosing Party shall be entitled to seek equitable relief, including injunctive relief and specific performance, in the event of a breach or threatened breach of this Confidential Information Schedule.
7. Destruction or Return. Upon termination or expiry of the Agreement, at the Disclosing Party’s written request, the Receiving Party shall and shall procure that its Permitted Recipients shall, promptly return to the Disclosing Party or destroy all copies of the Disclosing Party’s Confidential Information. Notwithstanding the foregoing, the Receiving Party and its Permitted Recipients may retain copies of Confidential Information in accordance with its and their respective bona fide internal record retention policies for legal, compliance or regulatory purposes, and copies of computer records and files containing Confidential Information that have been created pursuant to automatic electronic archiving and back-up procedures until such computer records and files have been deleted in the ordinary course. The Receiving Party and its Permitted Recipients shall continue to be bound by the terms and conditions of this Confidential Information Schedule with respect to such retained Confidential Information.
8. Prohibited Trading. In their evaluation of the Confidential Information, Retailer and its Permitted Recipients may have access to material non-public information concerning publicly-listed entities, including Affiliate(s) of Etail Depot, on the TSX and NASDAQ. Retailer acknowledges that it and its Permitted Recipients are aware that applicable securities laws prohibit any person who has privileged information about a publicly-listed entity from trading in its securities or changing an economic interest in a related financial instrument, or from disclosing such information to any other person, subject to limited exemptions.
9. Reservation of Rights. Each Party reserves all rights in its Confidential Information. The disclosure of Confidential Information by the Disclosing Party does not give the Receiving Party or any other person any express or implied license or other right in respect of any Confidential Information or in any proprietary product or Mark owned or controlled by the Disclosing Party beyond the rights expressly set out in the Agreement.
10. Term. The provisions of this Confidential Information Schedule shall survive the termination or expiry of the Agreement.
11. Prior NDA. To the extent the Parties have previously entered into a nondisclosure agreement (“Prior NDA”), this Agreement supersedes the Prior NDA, the Prior NDA is hereby terminated as of the Effective Date, and all non-public, confidential or proprietary information disclosed pursuant to the Prior NDA shall be Confidential Information under this Agreement.
12. Definitions. For purposes of this Confidential Information Schedule, the following defined terms apply:
12.1 “Confidential Information” shall mean all non-public, confidential or proprietary information disclosed before, on or after the Effective Date, by or on behalf of the Disclosing Party to the Receiving Party or its Permitted Recipients, in any form, whether or not identified as "confidential,"
including: (i) all information concerning the past, present, and future business affairs of the Disclosing Party, its Affiliates, Bank, Providers, and their customers, suppliers, and any other third parties, including, without limitation, information concerning finances, customers, suppliers, products, services, organizational structure, internal practices, forecasts, sales, financial results, financial records, budgets, and business, marketing, development, sales, and other commercial strategies; (ii) any inventions, ideas, methods, discoveries, trade secrets, know-how, patent applications and any other intellectual property rights, in each case whether registered or not; (iii) all designs, specifications, models documentation, components, software, hardware, techniques, source code, network, security architecture, product information, reports and documentation, inventions, know-how, trade secrets, structural, scientific, technical, intellectual, algorithmic, pricing data, market reports and other business affairs, object codes, images, icons, audio-visual components and objects, schematics, drawings, protocols, processes, and other visual depictions, in whole or in part, of any of the foregoing; (iv) any third-party confidential information included with, or incorporated in, any information provided by the Disclosing Party to the Receiving Party or its Permitted Recipients, including in the case of Etail Depot information of financial institutions, acquirers, banks, alternative payment methods providers and/or payment schemes included in Etail Depot’s disclosures or offerings; and (v) all notes, analyses, compilations, reports, forecasts, studies, samples, data, statistics, summaries, interpretations, and other materials prepared by or for the Receiving Party or its Permitted Recipients that contain, are based on, or otherwise reflect or are derived from, in whole or in part, any of the foregoing. Confidential Information shall not include information that: (a) was known to the Receiving Party or its Permitted Recipients at the time of its disclosure hereunder; (b) is, was or becomes available to the Receiving Party on a non-confidential basis from a third party, provided that such third party is not or was not prohibited from disclosing such Confidential Information by any obligation or duty of confidentiality to the Disclosing Party; (c) was or is independently developed by the Receiving Party or its Permitted Recipients, without reference to or use of the Confidential Information or other breach of the Confidential Information Schedule, as established by documentary evidence; (d) at the time of disclosure is or thereafter becomes publicly known, other than through a breach of the Confidential Information Schedule by the Receiving Party or its Permitted Recipients; or (e) the parties agree in writing that the information is not confidential.
12.2 “Disclosing Party” means the Party disclosing Confidential Information.
12.3 “Permitted Recipients” means the Receiving Party’s Affiliates, and the Receiving Party’s and its Affiliates’ respective officers, directors, employees, advisers, agents, suppliers or service providers to whom disclosure of Confidential Information is necessary strictly for the Purpose.
12.4 “Receiving Party” means the Party receiving Confidential Information.
DATA PROTECTION SCHEDULE
1. Compliance with Data Protection Law
1.1 Each Party shall comply with the Data Protection Law as it applies to Personal Data processed under this Agreement. The undertaking in this Section 1.1 of this Data Protection Schedule is in addition to, and does not relieve, remove, or replace, a Party’s obligations under the Data Protection Law.
1.2 The Parties shall not engage in any of the following conduct:
1.2.1 Use the other Party’s Personal Data for any purpose other than for the Purpose;
1.2.2 Disclose the other Party’s Personal Data to any third party, except to comply with Applicable Law, or otherwise agreed in writing with the other Party; or
1.2.3 Make copies of the other Party’s Personal Data, other than as is necessary for the Purpose or in order to comply with any Applicable Law.
1.3 Etail Depot acknowledges that the restrictions in Section 1.2 of this Data Protection Schedule include, without limitation:
1.3.1 Use of Retailer’s Personal Data (in whole or in part) for any profiling, marketing, matching or data enhancement whether in its original form or by way of aggregation or anonymization; and
1.3.2 Disclosure of Retailer’s Personal Data to any third-party Controller without the express consent of Retailer.
1.4 Upon termination or expiry of this Agreement, Etail Depot shall (at Retailer’s request) destroy or return to Retailer Personal Data in its possession or control and delete existing copies (subject to any legal obligations on Retailer to keep the relevant Personal Data longer). Etail Depot shall (at Retailer’s request) provide Retailer with written confirmation of destruction/deletion of the relevant Personal Data.
2. Data Processing
2.1 The Parties agree and acknowledge that for the purpose of Data Protection Laws, Retailer will be acting as a data Controller and Etail Depot will be acting as a data Processor in respect of the Personal Data that is the subject of this Agreement.
2.2 Retailer is solely and wholly responsible for establishing and maintaining the lawful basis for the processing of Personal Data by Etail Depot under this Agreement in order to fulfil its obligations and with respect to including (where applicable) the obtaining of all necessary consents from Data Subjects.
2.3 A description of the data processing carried out by Etail Depot under this Agreement is set out in Part 1 of the Appendix to this Data Protection Schedule.
2.4 Retailer acknowledges that aggregated, anonymized data may be created based on Personal Data; provided that Data Subjects are not identifiable from this data. This data may be used and or shared with third parties for the purposes of billing, product enablement and build, testing or product improvement and for the purposes of replying to requests from public authorities.
2.5 Retailer agrees to: (i) ensure that all staff are appropriately trained in line with their responsibilities under applicable Data Protection Law; and (ii) immediately notify Etail Depot if Retailer reasonably believes that there has been or may be a security breach of its systems including, but not limited to, instances of unauthorized access or attempts to access Transaction data or End User Data and instances where there is suspected or confirmed damage, loss or theft of Transaction data or End User Data.
2.6 Etail Depot has appointed a Data Protection Officer in accordance with Data Protection Laws. Accordingly, data protection enquiries should be addressed to Etail Depot’s Data Protection Officer at DPO@Etail Depot.com.
2.6.1 Each Party shall not do or omit to do, or cause or permit anything to be done or omitted to be done, which may reasonably be expected to cause or otherwise result in a loss, alteration, theft and/or abuse of Personal Data and/or a breach of the Data Protection Laws by Retailer, Etail Depot, Providers or others.
2.7 In respect of the Personal Data processed by Etail Depot as a data Processor acting on behalf of Retailer under this Agreement, Etail Depot shall:
2.7.1 Process the Personal Data only on Retailer’s written instructions, for compliance with Applicable Laws to which Etail Depot is subject (in which case it shall, if permitted by such Applicable Laws, promptly notify Retailer of that requirement before processing), and where processing is necessary for the purposes of the legitimate interests pursued by Etail Depot, including the prevention of fraud and the maintenance of information security (except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, or where the Data Subject is a child);
2.7.2 Ensure that it has in place appropriate technical and organizational measures to protect against unauthorized, unlawful or accidental processing, including accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, such measures in each case to be appropriate to the likelihood and severity of harm to Data Subjects that might result from the unauthorized, unlawful or accidental processing, having regard to the state of technological development and the cost of implementing any measures;
2.7.3 Ensure that persons engaged in the processing of Personal Data are bound by appropriate confidentiality obligations;
2.7.4 Keep a record of the processing it carries out, and ensure the same is accurate;
2.7.5 Comply promptly with any lawful request from Retailer requesting access to, copies of, or the amendment, transfer or deletion of the Personal Data to the extent the same is necessary to allow Retailer to fulfil its own obligations under the Data Protection Law, including Retailer’s obligations arising in respect of a request from a Data Subject; 2.7.6 Notify Retailer promptly if it receives any complaint, notice or communication (whether from a Data Subject, competent authority or otherwise) relating to the processing, the Personal Data or to either Party’s compliance with the Data Protection Law as it or they relate to this Agreement, and provide Retailer with reasonable co-operation, information and other assistance in relation to any such complaint, notice or communication;
2.7.7 Notify Retailer promptly if, in its opinion, an instruction from Retailer infringes any Data Protection Law (provided always that Retailer acknowledges that it remains solely responsible for obtaining independent legal advice regarding the legality of its instructions) or Etail Depot is subject to legal requirements that would make it unlawful or otherwise impossible for Etail Depot to act according to Retailer’s instructions or to comply with Data Protection Law;
2.7.8 Ensure in each case that prior to the processing of any Personal Data by any sub-processor, terms equivalent to the terms set out in this Data Protection Schedule are included in a written contract between Etail Depot and any sub-processor engaged in the processing of the Personal Data;
2.7.9 Retailer hereby authorizes the appointment by Etail Depot of each of the sub-processors (or categories of sub-processors as the case may be) that are listed in Part 2 of the Appendix to this Data Protection Schedule, and to the extent this authorization is in respect of a category of sub-processors, Etail Depot shall inform Retailer of any intended changes concerning the addition or replacement of other categories of sub-processors;
2.7.10 Subject to the terms hereof, the transfer of Personal Data may take place worldwide. If the legal grounds upon which adequate protection for the transfer of Personal Data is based ceases to be valid, Etail Depot will work with Retailer to put in place an alternative solution. Retailer acknowledges that Etail Depot may disclose the Personal Data to any applicable sub-processor, including Bank and any Affiliate, APMP and Payment Scheme, and their respective sub-processors, and such other Providers or entities to which it may be reasonably necessary to disclose and transfer Personal Data, including the competent Regulators, law enforcement authorities and anti-terrorism or organized crime agencies to whom it is necessary to disclose data.
2.7.11 Inform Retailer promptly if any Personal Data processed under this Agreement is lost or destroyed or becomes damaged, corrupted, or unusable or is otherwise subject to unauthorized or unlawful processing including unauthorized or unlawful access or disclosure;
2.7.12 Inform Retailer if it receives a request from a Data Subject for access to that person’s Personal Data and shall:
(i) Promptly provide Retailer with reasonable co-operation and assistance in relation to such request; and
(ii) Not disclose the Personal Data to any Data Subject (or to any third party) other than at the request of Retailer or as otherwise required under this Agreement;
2.7.13 Provide reasonable assistance to Retailer in responding to requests from Data Subjects and complying with its obligations under Data Protection Law with respect to security, breach notifications, data protection impact assessments and consultations with Regulators;
2.7.14 Delete or return to Retailer the Personal Data at the end of the duration of the processing described in Part 1 of the Appendix to this Data Protection Schedule, including any and all copies thereof, other than copies of Personal Data for which Etail Depot is compelled by Applicable Law to maintain, including, but not limited to obligations arising from measures aimed at combatting money laundering and the financing of terrorism;
2.7.15 Subject to any applicable confidentiality obligations, make available to Retailer such information as is reasonably required to demonstrate Etail Depot’s compliance with this Data Protection Schedule and, subject to any other conditions set out in this Agreement, allow for and contribute to audits, including inspections, of compliance with this Data Protection Schedule conducted by Retailer or a professional independent auditor engaged by Retailer. The following requirements apply to any audit:
(i) Retailer must give a minimum thirty (30) days’ notice of its intention to audit;
(ii) Retailer may exercise the right to audit no more than once in any calendar year;
(iii) Commencement of the audit shall be subject to agreement with Etail Depot on a scope of work at least ten (10) days in advance;
(iv) Etail Depot may restrict access to certain parts of its facilities and certain records where such restriction is necessary for confidentiality purposes;
(v) The audit shall not include penetration testing, vulnerability scanning, or other security tests;
(vi) The right to audit does not include the right to inspect, copy or otherwise remove any records, other than those that relate specifically and exclusively to Retailer;
(vii) Any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Etail Depot prior to the audit; and
(viii) Retailer shall compensate Etail Depot for its reasonable costs (including for the time of its personnel, other than the Retailer relationship manager) incurred in supporting any audit.
2.8 For purposes of this Data Protection Schedule, the following defined terms apply:
2.8.1 “Controller” has the meaning set forth in the Data Protection Law.
2.8.2 “Data Subject” means an individual who is the subject of Personal Data.
2.8.3 “Process” and “Processor” have the meanings given to them in the Data Protection Law.
Appendix to the Data Protection Schedule
Part 1 – Description of the Processing
| Subject Matter of the Processing: | The processing of Personal Data to the extent necessary for the provision of the Services set out in this Agreement between Etail Depot and Retailer |
| Duration of the Processing: | The duration of the processing of Personal Data by Etail Depot under this Agreement is the period of this Agreement and the longer of such additional period as: (i) is specified in any provisions of this Agreement regarding data retention; and (ii) is required for compliance with Applicable Law. |
| Nature of the Processing: | Such processing as is necessary to enable Etail Depot to comply with its obligations, pursue its legitimate interests, exercise its rights under this Agreement, and to comply with its statutory obligations, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. |
| Purpose of the Processing: | The performance of Etail Depot’s obligations, exercise of its rights under this Agreement, the pursuit of its legitimate interests, its compliance with statutory obligations, including the performance of functions required or requested by Retailer. |
| Personal Data Types: | Personal Data provided to Etail Depot by or on behalf of Retailer, including Personal Data provided directly to Etail Depot by a Data Subject or third party: (i) on the instruction or request of Retailer; or (ii) at the request of Etail Depot where Etail Depot has been authorized to make such request by Retailer or is legally required to make such request. The Personal Data processed under this Agreement will include (depending on the scope of Services provided): name; address; date of birth; gender; nationality; location; biometric; email address; billing address; address; country; country code; zip code; post code; user ID; telephone number; IP address, primary account number and associated Card information (or similar number or code identifying another Payment Method). |
| Categories of Data Subjects: | Personal Data related to individuals associated with Retailer (including its past, current, and future shareholders and directors). Personal data related to individuals purchasing goods and/or services from Retailer. |
| Obligations and Rights of the | As set out in the Agreement. |
| Authorized sub-processor / category of sub-processor | Description of the processing carried out by the sub-processor / category of sub-processor |
Part 2 – Authorized Sub-Processors and Categories of Sub-Processor
| Other members of Etail Depot | Any of the processing carried out by Etail Depot |
| Etail Depot’s Providers and Affiliates | Use of Personal Data in the provision of the Services under the Agreement, including payments and ancillary services, Chargebacks, the investigation of suspected incidents of fraud and other services necessary to support the provision of the Services. |
| Bank, APMs, APMPs, Financial Institutions, Payment Schemes and their respective sub-processors | Use of Personal Data in the provision of the Services under the Agreement, including payments and ancillary services, Chargebacks, the investigation of suspected incidents of fraud and other services necessary to support the provision of the Services. |
| Compliance service providers | Use of Personal Data in the performance of checks to identify politically exposed persons, persons that are subject to sanctions and other checks required by Applicable Laws |
| Technology service providers used in the administration of payment, reconciliation and fraud services | Use of Personal Data to facilitate the provision of payment services (including ancillary services) and fraud services. |
PROHIBITED ACTIVITY LIST SCHEDULE
Retailer agrees that Retailer will not knowingly, which includes where an employee acts in the course of his/her duties, at any time conduct Retailer’s business in any manner that directly or indirectly offers, sells, leases, licenses or displays, delivers, advertises, recommends, performs or promotes any product(s), service(s), data, information, image(s), text and/or any content which:
1. is associated with:
1.1 any form of adult, sexually oriented, or obscene materials or services, including without limitation, any material clearly designed to sexually arouse the viewer/reader (e.g., books, text, photos, videos, X-rated movies, pornographic materials, etc.), any materials which require individuals to be of a certain age to view or purchase those materials, escort services, and adult websites;
1.2 any form of unlawful gambling, wagering, sports book products or services, or lottery type services not affiliated with a government-run lottery service, including regulated iGaming except where specifically permitted and regulated by the government in the applicable territory;
1.3 the sale of any controlled drug or illicit substance (including but not limited to cannabis), electronic cigarettes (i.e., “e-cigarettes”), vapes or any similar product or real-world firearms or weapons;
1.4 any illegal activity, including any illegal telecommunications or cable television equipment;
2. infringes on any patent, trademark, trade secret, copyright, right of publicity, or other proprietary right of any party, including, but not limited to, the unauthorized copying and posting of trademarks, pictures, logos, software, articles, musical works and videos;
3. could damage the goodwill or reflect negatively on Bank or any Provider or Etail Depot brands;
4. is threatening, abusive, harassing, defamatory, obscene, libelous, slanderous, deceptive, fraudulent, invasive of another’s privacy, or tortuous;
5. victimizes harasses, degrades, or intimidates an individual or group of individuals on the basis of religion, gender, sexual orientation, race, ethnicity, age, or disability;
6. impersonates any person or entity;
7. contains harmful content, including, without limitation, software viruses, Trojan horses, worms, time bombs, cancel bots, spy-ware, or any other files, software programs, or technology that is designed or intended to disrupt, damage, surreptitiously intercept or expropriate Services provided by Etail Depot or any system, program, data or personal information or limit the functioning of any software, hardware, or equipment or to damage or obtain unauthorized access to any data or other information of any third party;
8. causes an unusual number of API calls to be made to the Platform (in website, application and other available formats) resulting in disruption to or denial of the Etail Depot Services;
9. violates any international export or import laws, including, without limitation, the United States Export Administration Act and the United States Export Administration Regulations maintained by the United States Department of Commerce; or
10. offers or disseminates fraudulent products, services, schemes, or promotions (i.e., make money fast schemes, chain letters, pyramid schemes) or engage in any unfair deceptive act or practice.
