Data processing addendum

Last updated on October 8, 2021

This Recharge Data Processing Addendum (“Addendum”) amends and forms a part of the written or electronic agreement(s) (the “Agreement”) by and between the individual or legal entity subject to the Agreement (“Customer”) and ReCharge Inc. (“Recharge”), a United States, California corporation with offices at 1507 20th St., Santa Monica, CA 90404, governing the Customer’s purchase and use of Recharge’s products and services (the “Service”). Capitalized terms not otherwise defined in this Addendum shall have the same definitions as in the Agreement or the meaning ascribed to the corresponding terms in the Data Protection Legislation.

1. Definitions

1.1 “Business”, “Commercial Purpose”, “Controller”, “Processor”, “Processing/Process/Processed”, “Sell”, and “Service Provider” shall be given the meanings given to them by the applicable Data Protection Legislation.

1.2 “CCPA” means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder.

1.3 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

1.4 “Data Subject Request” means the exercise by Data Subjects of their rights in accordance with applicable Data Protection Legislation in respect of Personal Data.

1.5 “Data Protection Legislation” means, collectively: (i) the GDPR, (ii)  the CCPA, and (iii) any legislation, and/or regulation implementing or made pursuant to them or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to Processing of personal data and privacy that may exist in any relevant jurisdiction, to the extent applicable to the relevant Personal Data or Processing thereof under the Agreement.  

1.6 “EEA” means the European Economic Area.

1.7 “EEA SCCs” means the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.8 “GDPR” means: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); (ii) the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).

1.9 “Personal Data” means information that constitutes “Personal Data,” “Personal Information,” or similar information governed by applicable Data Protection Legislation that Recharge Processes pursuant to the Agreement. Notwithstanding the foregoing sentence, Personal Data does not include information that Recharge Processes in the context of the Service that it provides directly to a consumer.

1.10 “Personal Data Breach” means a breach of Recharge’s security leading to the accidental or unlawful destruction, acquisition, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Recharge’s possession, custody or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems. 

1.11 “Relevant Body” (i) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/or (ii) in the context of the EEA and EU GDPR, means the European Commission.

1.12 “Restricted Country” (i) in the context of the UK, means a country or territory outside the UK; and (ii) in the context of the EEA, means a country or territory outside the EEA (which shall, as and where applicable, be interpreted in line with Article FINPROV.10A(1) of the Trade and Cooperation Agreement between the EU and the UK), that the Relevant Body has not deemed to provide an ‘adequate’ level of protection for Personal Data pursuant to a decision made in accordance with Article 45(1) of the GDPR.

1.13 “Restricted Data Transfer” means the disclosure, grant of access or other transfer of Personal Data to: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision by the European Commission pursuant to Article 45 of the GDPR;  and (ii) in the context of the UK, any country or territory outside the UK which does not benefit from an adequacy decision by the UK Information Commissioner’s Office pursuant to Article 45 of the GDPR.

1.14 “Security Measures” means the technical and organizational security measures to be applied by Processor in respect of the Personal Data, as set out in Appendix 2.

1.15 “Standard Contractual Clauses” or “SCCs” means the EEA SCCs or UK SCCs, as appropriate.

1.16 “Subprocessors” means the relevant subprocessors listed on rechargepayments.com/subprocessors.

1.17 “Supervisory Authority” means: (i) in the context of the EU GDPR, any authority within the meaning of Article 4(21) of the EU GDPR; and (ii) in the context of the UK GDPR, the UK Information Commissioner’s Office.

1.18 “UK” means the United Kingdom of Great Britain and Northern Ireland.

1.19 “UK SCCs” means the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2010/87.

2. Data Protection

2.1. In the course of Recharge providing the Service under the Agreement, Customer may from time-to-time provide or make available Personal Data to Recharge. The Parties acknowledge and agree that, in relation to any such Personal Data provided or made available to Recharge for Processing by Recharge under the Agreement, the Customer will be the Controller and Recharge will be the Processor for the purposes of the Data Protection Legislation.

2.2. When Recharge Processes Personal Data in the course of providing the Service, Recharge will:

2.2.1. Process the Personal Data as a Data Processor, for the purpose of providing the Service in accordance with documented instructions from the Customer (provided that such instructions are commensurate with the functionalities of the Service), to perform Recharge’s obligations and exercise Recharge’s rights under the Agreement, including to maintain records relating to the Service and comply with any legal or self-regulatory obligations relating to the Service, and as may subsequently be agreed to by the Customer. If Recharge is required by applicable laws to Process the Personal Data for any other purpose, Recharge will provide the Customer with prior notice of this requirement, unless Recharge is prohibited by such laws from providing such notice;

2.2.2. notify the Customer if, in Recharge’s opinion, the Customer’s instruction for the Processing of Personal Data infringes applicable Data Protection Legislation;

2.2.3. notify the Customer promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to Recharge’s Processing of the Personal Data;

2.2.4  upon Customer’s written request, provide Customer with such assistance as may be reasonably necessary and technically feasible in fulfilling its legal obligations under Data Protection Legislation, including data protection impact assessments and prior consultations with Supervisory Authorities which Recharge reasonably considers to be required of it by Data Protection Legislation, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing by, and information available to, Recharge;

2.2.5. upon the Customer’s reasonable written request, provide the Customer with such assistance as may be reasonably necessary and technically possible in the circumstances to assist the Customer in fulfilling its obligation to respond to Data Subject Requests. Customer shall compensate Recharge for any such assistance at Recharge’s then-current professional services rates, which shall be made available to Customer upon request;

2.2.6. upon receipt of any Data Subject Request that relates to Personal Data that Recharge Processes for the Customer, Recharge may advise the Data Subject to submit the request to Customer and Customer is solely responsible for responding to any such requests. Recharge’s notification of or response to a Data Subject Request under this Section is not an acknowledgement by Recharge of any fault or liability with respect to the Data Subject Requests; 

2.2.7. implement and maintain appropriate technical and organizational measures designed to protect the Personal Data and ensure a level of security appropriate to the risk. Recharge’s measures comprise those documented in the Security Measures listed in Appendix 2;

2.2.8. provide the Customer, upon the Customer’s reasonable written request, with up-to-date attestations, reports or extracts thereof, where available, from a source charged with auditing Recharge’s data protection practices (e.g., external auditors, internal audit, data protection auditors), or suitable certifications, to enable the Customer to assess compliance with the terms of this Addendum;

2.2.9. notify the Customer promptly upon becoming aware of and confirming any Personal Data Breach. The Customer is solely responsible for complying with Data Breach notification laws applicable to the Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. Recharge’s notification of, or response to, a Personal Data Breach under this Section is not an acknowledgement by Recharge of any fault or liability with respect to the Personal Data Breach;

2.2.10. ensure that its personnel who access the Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality; and

2.2.11. upon termination of the Agreement or expiry of Service involving the Processing of Personal Data, Recharge shall cease all Processing of Personal Data related to such Service except as set out in this Section. Recharge will promptly initiate its process to delete or anonymize the Personal Data, subject to Recharge retaining any copies required by applicable laws (and in that case, for such period as may be required by such applicable laws). If the Customer requests a copy of such Personal Data within 30 days of termination, Recharge will provide the Customer with a copy of such Personal Data.

2.3. The Customer shall ensure that it is entitled to give access to the relevant Personal Data to Recharge so that Recharge may lawfully Process Personal Data in accordance with the Agreement on the Customer’s behalf. The Customer shall:

2.3.1. comply with its obligations under the Data Protection Legislation which arise in relation to this Addendum, the Agreement and the receipt of the Service; and

2.3.2. not do or omit to do anything which causes Recharge (or any Subprocessor) to breach any of its obligations under the Data Protection Legislation.

2.4. In the course of providing the Service, the Customer acknowledges and agrees that Recharge may use Subprocessors to Process the Personal Data. Recharge’s use of any specific Subprocessor to Process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Recharge and the Subprocessor. Recharge will notify the Customer when including any changes to the list of Subprocessors at rechargepayments.com/subprocessors, concerning the addition or replacement of other Subprocessors. Customer acknowledges it needs to review the list after being notified and may object to such changes in writing setting out its reasonable concerns in detail within 14 days from the date of the notification. If the Customer does not object to such changes, Recharge shall have the right to continue to Process the Personal Data in accordance with the terms of this Addendum, including using the relevant subprocessors. If the Customer objects, Recharge shall consult with the Customer, consider the Customer’s concerns in good faith and inform the Customer of any measures taken to address the Customer’s concerns. If the Customer upholds its objection and/or demands significant accommodation measures which would result in a material increase in cost to provide the Services, Recharge shall be entitled to increase the fees for the Service or, at its option, terminate the Agreement.

2.5  As part of providing the Service, Data Subject’s Personal Data will be Processed in the United States. Such Processing will be completed in compliance with relevant Data Protection Legislation.

2.6  Customer acknowledges and hereby agrees that Recharge may transfer to, access and process Personal Data in a Restricted Country, as necessary to provide the Service in accordance with the Agreement. Recharge will make any such Restricted Data Transfers in compliance with the applicable Data Protection Legislation. If Recharge’s compliance with Data Protection Legislation applicable to Restricted Data Transfers is affected by circumstances outside of Recharge’s control, including if a legal instrument for Restricted Data Transfers is invalidated, amended, or replaced, then Customer and Recharge will work together in good faith to reasonably resolve such non-compliance.

2.7  Solely to the extent required to ensure the legality of Restricted Transfers, in the event that the transfer of Personal Data from Controller to Recharge involves a transfer of Personal Data, that is subject to GDPR or UK GDPR, to a Restricted Country, the SCCs shall be incorporated by reference and form an integral part of this Addendum with Controller as “data exporter” and Recharge as “data importer.” For the purposes of the EU SCCs: (i) Module Two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted; (ii) in Clause 9, Option 2 shall apply and the “time period” shall be 14 days; (iii) in Clause 11, the optional language shall not apply; (iv) in Clause 17 (Option 1) the EU SCCs shall be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex 1 and 3 of the EU SCCs shall be populated with the information set out in this Addendum; and (vii) Annex 2 of the EU SCCs shall be deemed to refer to the Security Measures. For the purposes of the UK SCCs: (i) the Appendices or Annexes of the UK SCCs shall be populated with the relevant information set out in this DPA; and (ii) the UK SCCs shall be governed by the laws of, and disputes shall be resolved before the courts of, England and Wales. If and to the extent the applicable SCCs conflict with any provision of this Addendum regarding the transfer of Personal Data from Customer to Recharge, the SCCs shall prevail to the extent of such conflict.

2.8  Customer acknowledges and agrees that Recharge may create and derive from Processing related to the Agreement, de-identified, anonymized and/or aggregated data that does not identify Customer or any natural person and use, publicize, or share with third parties such data to improve Recharge’s Service and for its other legitimate business purposes.

3. Miscellaneous

3.1. In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. The Customer acknowledges and agrees that Recharge may amend this Addendum from time to time by posting the relevant amended and restated Addendum on Recharge’s website, available at https://rechargepayments.com/dpa/ and such amendments to the Addendum are effective as of the date of posting. The Customer’s continued use of the Service after the amended Addendum is posted to Recharge’s website constitutes the Customer’s agreement to, and acceptance of, the amended Addendum. If the Customer does not agree to any changes to the Addendum, the Customer should cease use of the Service immediately.

3.2. Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.

3.3. The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the State of California and the laws of the United States applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the State of California with respect to any dispute or claim arising out of or in connection with this Addendum.

Appendix 1 – Data Processing Details

This Appendix includes certain details of the Processing of Personal Data: (i) as required by Article 28(3) of the GDPR; and (ii) where applicable, to populate Appendix 1 to the Standard Contractual Clauses.

Recharge’s activities and purpose of the Processing

Recharge provides a subscriptions management platform.

Subject matter and duration of the Processing of Personal Data

The subject matter and duration of the Processing of Personal Data as part of the Service under the Agreement. Start date is the date Personal Data is first processed by Processor. End date is the date of termination or expiry of the Agreement. The frequency of the processing is continual and ongoing during the term of the Agreement.

The nature and purpose of the Processing of Personal Data

The processing of certain Personal Data by the Processor on behalf of the Controller in relation to allowing access of the Controller’s users to the Processor’s subscriptions management platform.

The categories of Personal Data to be Processed

Personal Data that Recharge receives as described at: https://rechargepayments.com/privacy-policy/.

The categories of Data Subjects to whom Personal Data relates

• Data Subjects about whom Recharge collects Personal Data in its provision of Service as a Processor, including Customer’s customers.
• Data Subjects about whom Personal Data is transferred to Recharge in connection with its Service as a Processor by, at the direction of, or on behalf of Customer, including Customer’s customers.

Appendix 2 – Security Measures

As from the effective date of the Addendum, Recharge will implement and maintain the security measures set out in this Appendix 2 (“Security Measures”).

1. Physical Access Control: Recharge shall take reasonable measures to prevent physical access by unauthorized persons to facilities where Personal Data is processed. Safeguards implemented at data processing facilities are controlled by third-party vendors and may include security personnel, alarm systems, access control systems, and video/CCTV surveillance.
2. System Access Control: Recharge shall take reasonable measures to prevent unauthorized access to systems processing Personal Data. Safeguards implemented may include multi-factor authentication, change management processes, and system-level logging.
3. Data Access Control: Recharge shall take reasonable measures to allow for Personal Data to be accessed and/or managed by authorized personnel only and protect against Personal Data being read, modified, or removed without authorization.
4. Transmission Control: Recharge shall take reasonable measures to prevent the disclosure of Personal Data during transmission. Safeguards implemented will include encryption over public networks.
5. Data Availability Control: Recharge shall take reasonable measures to protect against accidental destruction or loss of Personal Data. Safeguards implemented may include regular backups of Personal Data, restoration testing of Personal Data backups, replication of Personal Data backups across multiple sites, and disaster recovery plans.
6. Data Segregation Control: Recharge shall take reasonable measures to segregate Personal Data on a per customer basis. Safeguards implemented may include application-level controls for logical separation of Personal Data.

Recharge may update or modify such Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Service.