DATA PROCESS

Last Updated: June 2024

How We Process Data

Welcome to Softify OÜ! By signing up for one of the applications created by Softify OÜ or by using any of the services offered by Softify OÜ, you are agreeing to be bound by the following conditions.

Softify OÜ provides a complete invoicing platform that enables Shopify merchants to unify their invoicing activities. Among other features, this platform includes a range of tools for merchants to create and customize various document types like invoices, packing slips, credit notes, return labels, and shipping labels. Drag & Drop designer can also be used to create any kind of document type. Any new features or tools which are added to the current Services will also be subject to this document.

Softify OÜ also provides an AI-powered personalization platform that marketers and e-commerce professionals use to deliver personalized shopping experiences across the web, and mobile without any technical knowledge. Any new features or tools which are added to the current Services will also be subject to this document.

We reserve the right, from time to time, to modify, amend or restate this document or any other terms, rules, or conditions that are published on this website or on our applications. We will take reasonable steps to attempt to notify you of such amendments but you agree that such notice is not required and waive any right to dispute any term of the Agreement due to a prior amendment and/or failure to receive adequate notice. If you do not agree to, or cannot comply with, the terms as amended, you are not authorized to use our applications. You will be deemed to have accepted the terms as amended if you continue to use our applications after any amendments are posted on our applications and/or the company website. We reserve the right to refuse to provide services or products, to anyone at any time.

These terms are a legally binding contract between you and Softify OÜ (collectively, “Softify”, "Softify Apps", "Easy Invoice+", "Easy Upsell & Cross Sell+" “we,” or “us”) regarding your use of our applications and services. Please read these terms carefully, and keep a copy of them for your reference if possible. In this Agreement, "you," "your", "merchant", "store owner", "Shopify user" and "Customer" will refer to you. If you are visiting, using, or registering for any Softify OÜ application or service on behalf of an entity or other organization, you are agreeing to these Terms for that entity or organization and representing to Softify OÜ that you have the authority to bind that entity or organization to these Terms (and, in which case, the terms "you," "your", "merchant", "store owner", "Shopify user" and "Customer" will refer to that entity or organization).

This Data Processing Addendum (including all of its Annexes, this “Addendum”) is entered into as of the installation date of the app (the “Effective Date”) between Softify and Merchant. This Addendum amends and forms part of the service agreement(s) between the parties that reference this Addendum (including, without limitation, the Softify Privacy Policy and the Terms of Service (SAAS), if applicable) which respectively govern the software-as-a-service solutions provided by Softify to Merchant (together, the “Agreement”).

This Addendum sets out the additional terms, requirements, and conditions on which Softify will process personal data as far as such processing relates to the performance of the Services. In the event that any terms and conditions contained herein are in conflict with the terms and conditions set forth in the Agreement, the terms and conditions set forth in this Addendum shall be deemed to be the controlling terms and conditions, except as otherwise stated. "Controller", "processor", "data subject", "personal data", "processing" and "appropriate technical and organizational measures" shall be interpreted in accordance with the applicable Data Protection Legislation. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or in applicable Data Protection Legislation. In order for Softify to perform its obligations under this Agreement, Softify may collect certain personal data from Merchants or their representatives (collectively referred to as "Merchants") including name and contact details (e.g., email address), financial information regarding any payments made by Merchant to Softify, IP addresses associated with Merchants' websites, business information about Merchants' businesses such as number of employees (collectively referred to as "Personal Data").

Roles of the Parties


This Addendum shall apply where Merchant acts as a controller and Softify as a processor, or where Merchant acts as a processor and Softify as a sub-processor. All parties agree to keep every data and Confidential information private and secure from any third party. Softify will not disclose or provide any personal data to any third party without written consent from Merchant, except for the purposes of complying with applicable law or regulation; investigating or preventing fraud; protecting its rights or property; enforcing this Agreement; or responding to legal process against Softify or Merchant (such as a search warrant or court order).

Compliance with Data Protection Legislation


Softify and Merchant will comply with all applicable requirements of the Data Protection Legislation. As used in this Addendum, “Data Protection Legislation” means all applicable privacy and data protection laws, their implementing regulations, regulatory guidance, and secondary legislation, each as updated or replaced from time to time, including (I) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws; (ii) the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018; (iii) the Privacy and Electronic Communications Directive (2002/58/EC) and any applicable national implementing laws including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); (iv) and the Swedish Data Act (Datalagen) 1973. Company shall be responsible for compliance with its obligations under the Data Protection Legislation in connection with its processing of Customer Personal Data on behalf of Customer.

Processing of Personal Data


This annex sets out the scope, nature, and purpose of processing by Softify. It also details the duration of the processing and the types of personal data that Softify processes.

  • Merchant agrees to have Softify process the personal data on its behalf, in accordance with Merchant's documented instructions, as otherwise necessary to provide the Services, or as otherwise agreed in writing by the parties. The scope of such instructions is initially defined by the Agreement. Softify shall inform Merchant if, in its opinion, an instruction infringes the Data Protection Legislation or if Softify becomes aware it cannot process Personal Data in accordance with Merchant's instructions due to a legal requirement under any applicable law. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Service until such time as you issue new lawful instructions with regard to the processing.
  • Merchant acknowledges that he/she is solely responsible for ensuring that any instructions it issues to Softify comply with applicable laws, including Data Protection Laws. Merchant will inform Softify without undue delay if the Merchant is not able to comply with his/her responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.
  • Softify and Merchant agree that Softify will act as a "Service Provider" under the GDPR. Merchant discloses personal data to Softify solely for (i) a valid business purpose; and (ii) Softify to perform the Services. Softify is prohibited from (i) selling Merchant's personal data; (ii) collecting, retaining, using, or disclosing Merchant's personal data for any purpose other than providing the Services to Merchant; and (iii) collecting, retaining, using, or disclosing Merchant's personal data outside of the direct business relationship between Softify and Merchant; and (iv) combining Merchant's personal data with personal data that Softify obtains from other sources. Softify certifies that it understands the prohibitions outlined in this Section and will comply with them. Merchant understands and agrees that Softify may use sub-processors to provide the Services and process personal data on Merchant's behalf in accordance with this addendum.

Security


  • Softify will implement appropriate technical and organizational measures to ensure that the Merchant's personal data is processed in a manner that meets the requirements of Annex B.
  • Softify will notify Merchant without undue delay upon discovery of the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data processed by Softify on behalf of Merchant.
  • Softify will ensure that all personnel who process personal data have committed themselves to keep the personal data confidential in accordance with Softify's confidentiality obligations under the Agreement.

Assistance

  • Taking into account the nature of the processing and the information available to us, Softify shall reasonably provide the Merchant with a payment service provider that has sufficient technical and financial capacity to perform its obligations under this Agreement.
  • Merchants using Softify are provided with a number of tools to assist them in their obligations under Data Protection Laws, including responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws.
  • If the Merchant is unable to address a Data Subject Request through the Self Service Feature provided by Softify, they may submit a written request to Softify for additional assistance to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under this Agreement.
  • Upon termination of the Agreement, Softify will delete all Merchant Data and copies thereof to Merchant unless required by applicable law or where Softify has archived Merchant Data on back-up systems (including any Data Protection Legislation) to store said data. In the event that Merchant has not provided such written direction, the personal data will be deleted as set out in the Agreement.

In the event that a Data Subject Request is made directly to Softify, Softify will promptly inform Merchant and will advise the Data Subject to submit their request to Merchant. Merchant will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

Audit

  • The parties agree that Merchant must be able to assess Softify’s compliance with its obligations under Data Protection Legislation, to the extent that Softify is acting as a processor on behalf of the Merchant. This section describes the obligations of both parties in relation to data protection, and sets out the actions they will take in relation to each other’s data protection responsibilities.
  • Softify and Merchant hereby agree that Softify shall provide access to all information necessary for Softify to demonstrate compliance with Article 28 of the GDPR, including without limitation executive summaries of Softify’s information security and privacy policies, upon thirty (30) days advance written notice to Softify. Merchant shall bear its own costs and expenses in connection with such audit. For the avoidance of doubt, nothing contained herein will allow Merchant to review data pertaining to Softify’s other Merchants or partners.

Sub-Processors

  • Softify provides a written authorization to sub-processors, including Softify's Affiliates, to engage in the same data processing activities set out in the Privacy Policy. For purposes of this Addendum, “Affiliate” means an entity controlling, controlled by, or under common control with a party. Softify and its Affiliates may engage such sub-processors to process personal data, provided that Softify and its Affiliates have entered into a written agreement with the third-party processor containing data protection terms that require it to protect the personal data to the same standard required under this Addendum.
  • Softify may appoint a new sub-processor to process data on its behalf. If it does so, it will update the list of sub-processors. The merchant can opt-in to receive alerts regarding list updates via the newsletter mechanism set out at Softify's main website. If Merchant has done so, Softify will send an email publicizing the change to the email address provided by Merchant. Merchants may object to Softify's appointment or replacement of a sub-processor within 30 days of receiving notification from Softify. If Merchant does not object within this period, Softify's addition of a new sub-processor shall be deemed accepted by Merchant. If the merchant objects and Softify believe it cannot reasonably accommodate the merchant's objection, then the merchant may terminate any affected services upon written notice to Softify. Any previously accrued rights and obligations will survive such termination.
  • Softify is not responsible for the acts or omissions of its sub-processors. To the extent Softify would be liable if performing the Services directly, Softify will remain liable for the acts and omissions of its sub-processors in connection with those Services.
  • Softify and the Merchant agree that in order to facilitate the provision of the Standard Contractual Clauses, Softify may remove any commercial information or clauses unrelated to those Clauses from copies of sub-processor agreements provided to the Merchant. Softify will provide the Merchant with copies of such replications upon request.
  • Merchant acknowledges and agrees that Softify may use telecommunication providers in the provision of the Service. Merchant further acknowledges that, in order to send communications for the provision of the Service, Softify may need to transmit Merchant’s communications through existing telecommunications networks and suppliers. Merchant further acknowledges that Softify may use payment gateways in the provision of Service via companies bound to comply with data protection laws but who may not have direct contracts with Softify. Merchant hereby instructs Softify to transmit the communications through existing telecommunications networks and to use payment gateways as necessary to provide the Service, and acknowledges and agrees that telecommunications networks and payment gateways suppliers are not considered Sub-processors under either the Agreement.
  • Merchant will provide information to Softify that may contain personal data when Merchant reports potential issues with the quality of the Service. Merchant will instruct Softify to engage relevant suppliers for assistance including by providing them access to necessary data which may contain personal data for purposes of diagnosing and resolving reported issues.

International Personal Data Transfers

  • As a company, Softify is committed to protecting the privacy of its clients. This means that we will not transfer any personal data outside of the European Economic Area (EEA) without ensuring that all applicable requirements for cross-border transfers of personal data under Data Protection Legislation are satisfied.
  • To the extent that Softify processes any personal data under this Addendum that originates from the European Economic Area (“EEA”) or in a country that has not been designated by the European Commission (as applicable) as providing an adequate level of protection for personal data, the parties agree to enter into the Standard Contractual Clauses for the transfer of personal data to third countries as set out in the Annex to Commission Decision (EU) 2021/914 adopted on June 4, 2021 (“Standard Contractual Clauses”) which are hereby incorporated into and form part of this Addendum.
  • In the event that Merchant is deemed a controller under the General Data Protection Regulation, the parties hereby agree that insofar as data processing activities are performed by Softify on behalf of Merchant, such activities will be carried out in compliance with Annex 1 to the Standard Contractual Clauses and Annex 2 to the Standard Contractual Clauses. Softify shall be deemed the “data importer” and Merchant the “data exporter” under the Standard Contractual Clauses, and the parties will comply with their respective obligations under the Standard Contractual Clauses. Merchant grants Softify a mandate to execute the Standard Contractual Clauses (Module 3) with any relevant sub-processor (including Softify Affiliates). Unless Softify notifies Merchant to the contrary, if the European Commission subsequently amends the Standard Contractual Clauses at a later date, such amended terms will supersede and replace any Standard Contractual Clauses executed between the parties. Annex C shall apply to the use of the Standard Contractual Clauses.
  • The parties agree that if Softify processes any personal data originating from a country that has not been designated by the Government as providing an adequate level of protection for personal data, and where the parties have implemented a validation mechanism for such transfers, such validation mechanism shall continue to apply to such transfers. The parties further agree that unless Merchant notifies Softify to the contrary if the government recognizes the new Standard Contractual Clauses as a valid data transfer mechanism at a date later than the Effective Date of this Addendum, such Standard Contractual Clauses will supersede and replace any existing mechanisms. The Annexes to this Addendum supersede those attached to any previous agreements signed between Merchant and Softify, except where such would represent a conflict with this section.
  • If the Merchant is using an alternative data export solution for the lawful transfer of personal data (as recognized under the Data Protection Legislation), then this Addendum will not apply. If that is the case, we will work together to find a solution, but as long as it only applies to the territories to which personal data is transferred under this Addendum.

Other

  • This Addendum shall supersede and replace any existing data processing addendums, attachments, or exhibits between the parties. Any additional security measures, attachments, appendices, or exhibits related to those measures shall be in place of the Annex and supplement its provisions. If there is a conflict between the Annex and any other agreement that the Merchant has entered into with Softify regarding information security, then whichever agreement provides greater protection for personal data will govern.

Liability

In the event of any inconsistency between this Addendum and the Agreement, the terms of this Addendum shall prevail to the extent necessary to resolve the such inconsistency. Although Softify is not liable for more than the amount it has received under this contract during the preceding twelve-month period, its total liability to you shall never exceed that sum. Neither party will have any liability to the other party for any loss of profits or revenues, loss of goodwill, loss or corruption of data—or for any indirect, special, incidental consequential punitive damages arising out of this Agreement.

Governing Law and Jurisdiction

The provisions regarding governing law and jurisdiction in the terms of service will be used to regulate and interpret this Addendum, unless it is necessary to comply with relevant Data Protection Legislation.

Termination of Addendum

The Addendum will come to an end at the same time as the app is uninstalled, and this termination will occur automatically without requiring any action.

This Addendum becomes a legally binding component of the Agreement from the Addendum Effective Date onwards.

ANNEX A contains the objectives and specific information regarding the processing of personal data.

LIST OF PARTIES

Data exporter(s):

The data exporter should send an email to support@softify.co after signing the Agreement to provide the contact information for the data protection officer or representative in the European Union (if applicable) and the contact person for data protection matters.

The data importer will undertake activities related to the transfer of personal data as specified in the Agreement while providing services to the data exporter.

Data importer(s):

The data importer will engage in activities related to the transfer of personal data as outlined in the Agreement while providing services to the data exporter.

DESCRIPTION OF TRANSFER

This refers to the groups or types of individuals whose personal data is being transferred.

The Merchant has the option to provide personal data to Softify for the purpose of enabling Softify to perform the Services. The extent of this data submission is determined and controlled solely by the Merchant, and may include, but is not limited to, personal data related to the following categories of data subjects:

  • Shopify partners, Business partners, and (who are natural persons)
  • Employees or contact persons (both of whom are natural persons) of Merchant, business partners, and vendors
  • Merchant’s end users (i.e., customers, respondents, visitors).
  • Employees, agents, advisors, contractors, or any user authorized by Merchant to use the Services (who are natural persons)

This refers to the types or categories of personal data that are being transferred.

The Merchant has the discretion to determine and control the extent of personal data submission to Softify for the purpose of enabling Softify to perform the Services. The data submitted may vary depending on the nature of the Services and may include, but is not limited to:

  • First and last name and title;
  • Employer and position;
  • Contact information (email, username, phone number, physical business address);
  • Order information
  • Device identification data (Device ID);
  • Electronic identification data (IP address);
  • Technical data (operating system information; software logs; crash reports);
  • Username and password to Softify Services; and
  • In relation to certain Softify Services, including the Softify Identity services, the geo-location of the device using such Services.

The Merchant has the ability to upload, submit, or provide personal data to the Service, and has full discretion over the extent of the data submitted. The types of personal data that may be included are typically as follows:

  • The personal data that may be submitted by Merchants may include identification and contact data (such as name, address, title, contact details, and username), financial information (including account details and payment information), and employment details (such as employer, job title, geographic location, and area of responsibility).
  • The personal data that may be transferred regarding contacts may include identification and contact data (such as name, gender, occupation or other demographic information, address, title, contact details including email address, phone, and profile photo), personal interests or preferences, and IT information (such as IP addresses, usage data, cookies data, online navigation data, location data, and browser data).
  • The project content refers to the material submitted by all customers via the Service, including texts, images, video and audio files, or other data files. The extent of the content is typically determined by the project type, which may include segmentation, consumer habits and opinions, user preferences, market segmentation, and other types of data.

If applicable, sensitive data may be transferred, and restrictions or safeguards will be applied that fully take into consideration the nature of the data and the risks involved. These measures may include strict purpose limitation, access restrictions (such as access only for staff who have completed specialized training), keeping a record of access to the data, restrictions for onward transfers, and additional security measures.

Sensitive data may only be transferred by the Merchant to Softify where it is necessary for the provision of the Services as described in the Agreement.

The safeguards applicable to the processing of such sensitive data are described in Annex B. The data is transferred on a continuous basis.

Nature of the Processing

Softify will process personal data as necessary to perform the Services in accordance with the Agreement and as further instructed by the Merchant in its use of the Services, as expressly set forth in this Addendum.

The purpose of the data transfer and any further processing will be as set out in the Agreement and as instructed by the Merchant in its use of the Services. Any additional purposes will be subject to the express consent of the data subject, as required by applicable data protection laws.

Softify will process personal data for the purposes necessary to perform the Services in accordance with the Agreement and as further instructed by the Merchant in its use of the Services, as expressly set forth in this Addendum.

The period for which personal data will be retained will be determined in accordance with the Agreement and any applicable laws and regulations governing the retention of such data. If a specific retention period is not possible, Softify will determine the retention period based on the nature of the personal data, the purposes for which it was collected, and any legal obligations or industry standards. Softify will ensure that personal data is not retained for longer than necessary to fulfill the purposes for which it was collected.

The personal data will be retained by Softify for the duration of the provision of services under the Agreement, and will be deleted or anonymized when no longer necessary for such purposes, unless otherwise required by law or regulation. The exact retention period may vary depending on the nature of the services provided and the applicable legal requirements, but Softify will follow its internal policies and procedures to ensure that personal data is not retained for longer than necessary.

When transferring personal data to (sub-) processors, the subject matter and nature of the processing will depend on the specific (sub-) processor involved and the services they are providing as part of the overall provision of services by the data importer. The duration of the processing by (sub-) processors will also depend on the specific services being provided and the terms set out in any applicable agreements or contracts.

ANNEX B should explain how the technical and organizational measures will be used.

This Annex II sets forth the security measures that Softify shall maintain in connection with the personal data submitted by Merchant to Softify to enable it to provide the services under the Agreement.

Measures of pseudonymization and encryption of personal data.

Pseudonymization and encryption are both important measures for protecting personal data. Pseudonymization involves replacing identifying information with a pseudonym or code, while encryption involves converting the data into an unreadable format using a key. Both techniques can be used to protect personal data from unauthorized access and to help ensure its confidentiality, integrity, and availability. Softify always encrypts Merchant personal data while it is in transit to and from Softify’s Applications over Shopify API and cloud networks.

Softify has implemented various technical and organizational measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

Softify implements technical and organizational measures to ensure the ongoing confidentiality, integrity, availability, and resilience of its processing systems, apps and services.

Procedures for restoring access to and availability of personal data in the event of a physical or technical incident.

Softify performs data replication and backup as necessary, which protects against data loss and helps facilitate service recovery for the Merchant.

Systematic procedures for periodically testing, evaluating, and assessing the technical and organizational measures in place to ensure the security of the data processing.

Softify employs a range of tools to constantly monitor and track security vulnerabilities with the aim of identifying, reporting, and addressing network vulnerabilities. In the course of ongoing information security efforts, the identified security vulnerabilities are assessed, prioritized, and remediated in accordance with the nature of the vulnerability, the severity of its potential impact, and other relevant factors.

In addition, Softify regularly conducts penetration testing on its networks, infrastructure, and products in order to identify any security vulnerabilities. To ensure a comprehensive view of potential vulnerabilities and attack vectors, automated penetration testing tools are utilized by Softify. These measures are taken to mitigate the risk of cyber attacks.

Steps should be taken to ensure proper user identification and authorization.

Softify employs industry-standard tools, as well as its own security products, to control, monitor, and safeguard user credentials and secrets related to access. To ensure that only authorized personnel have access to the equipment used to store Merchant personal data, Softify employs industry-standard processes to secure physical access to these systems.

Softify has developed policies that govern internal access to Merchant personal data, based on the principles of least privilege and need-to-know, taking into account individual roles and responsibilities. In order to prevent unauthorized access to the personal data of Merchants and the systems hosting it, Softify maintains methods and procedures designed to ensure adequate security. Appropriate authentication methods, such as Virtual Private Network (VPN) and Multi-Factor Authentication (MFA), are utilized to control access to the network applications and systems containing Merchant personal data.

Steps should be taken to protect data during transmission.

Softify encrypts all Merchant personal data that is processed while in transit over corporate networks, as well as when transmitted to and from Softify's Applications. This measure is taken to ensure the protection of data during transmission.

Steps should be taken to protect data during storage.

Softify encrypts Merchant personal data that is processed while at rest, wherever possible given the services being provided to the Merchant. This measure is taken to ensure the protection of data during storage.

Steps should be taken to ensure the physical security of locations where personal data is processed.

Softify applies appropriate security measures to its offices and facilities that host servers containing sensitive or critical information, including Merchant personal data. Access to these facilities is restricted to authorized personnel only. These measures are taken to ensure the physical security of locations where personal data is processed. These measures are:

  • Softify provides 24/7 monitoring and access control for these Facilities to ensure that security measures remain effective and unauthorized access is prevented.
  • A procedure should be established to promptly disable data access in case of employee termination.
  • Policies should be developed and employees trained to secure and prevent unauthorized disclosure of Merchant personal data. This may include measures such as screen locks and least privilege access.

Steps should be taken to ensure events logging.

We have implemented processes and policies to ensure that incidents are addressed and logged in accordance with the following procedures below.

  • Identification refers to the process of recognizing and determining the nature of an incident. It is the first step in incident management.
  • Classification refers to the process of categorizing an incident based on its nature, severity, and impact on business operations. It helps in determining the appropriate response and resources needed to manage the incident.
  • Once an incident has been identified and classified, it should be reported to the appropriate internal stakeholders. This ensures that the necessary actions can be taken to resolve the incident and prevent similar incidents from occurring in the future.
  • An incident should be mitigated and remediated throughout the incident response stages, including post-incident assessments. This involves taking the necessary steps to resolve the incident and prevent it from happening again in the future. Post-incident assessments help to identify any areas for improvement and enable organizations to strengthen their incident response procedures.

System configuration measures include default settings.

Softify follows a rigorous process to develop, document, and maintain a current baseline configuration for its systems, which is kept under configuration control. These configurations are reviewed at least annually to ensure they remain effective in mitigating potential security risks. In addition, Softify removes default configurations of technical controls prior to operational use, to reduce the risk of unauthorized access and other security threats.

Implementing internal IT governance and security management systems.

Implementing internal IT governance and security management systems is an important step in ensuring the security of an organization's data and systems. This involves developing and implementing policies and procedures to manage and monitor the organization's IT systems and processes, and ensuring that they are in compliance with relevant regulations and standards.

The IT governance framework provides a structure for the organization's IT activities and helps to align IT with business objectives. Security management systems provide a framework for identifying, assessing, and managing security risks, and implementing controls to mitigate these risks. Both of these systems work together to ensure that the organization's IT systems are secure, resilient, and aligned with business objectives.

Process and product certifications are measures used to guarantee the quality of products or systems.

Softify follows best practices when developing its products and services.

A privacy protection plan that identifies necessary data collection and which minimizes the amount of personal information collected.

In accordance with GDPR requirements, all of Softify’s employees must undergo information security training and awareness sessions. The course includes modules about the importance of data minimization.

Softify offers practical guidance for employees designed to ensure that the data they process is limited in scope and time to the extent necessary.

Softify processes the data that we receive from Merchants. The amount of information we retain is determined by our customer's preferences.

Data Quality

Softify is solely responsible for the security and confidentiality of Merchant personal data that it processes through the Shopify API. However, Softify is not responsible for the accuracy or completeness of the data provided by the Merchants. Merchants are responsible for ensuring the accuracy and completeness of their data, and Softify processes that data as provided by the Merchants.

The quality of the data generated by Softify’s products is ensured by the implementation of secure development practices. When introducing or modifying code, this includes:

Measures for limiting the amount of time that personal data is retained.

Softify adheres to the retention period specified in the Agreement or Documentation with the Merchant, and retains Merchant Information only for as long as required. If applicable laws or regulations require a longer retention period, Softify will retain the Merchant Information for the necessary period of time. Once the retention period has elapsed, or if Softify is no longer required to retain the Merchant Information, Softify will securely dispose of or delete the Merchant Information in a manner that ensures confidentiality, integrity, and availability of the Merchant Information.

Softify adheres to applicable laws and the Agreement when securely disposing of Merchant personal data. Softify ensures that the Merchant personal data cannot be read or reconstructed by using industry-standard processes and procedures for secure data disposal, including cryptographic erasure, overwriting, or physical destruction. Softify takes all necessary measures to ensure the confidentiality, integrity, and availability of the Merchant personal data during the disposal process.

Measures to ensure accountability.

Softify's approach to information security is comprehensive and includes a range of practices and procedures. These include asset management, access management, physical security, people security, network security, third-party security, product security, vulnerability management, security monitoring, and incident response. Softify's management approves all information security policies and standards, which are accessible to all employees. By implementing this framework, Softify aims to ensure the confidentiality, integrity, and availability of Merchant personal data and protect against security threats and incidents.

Data Portability

Softify takes appropriate security measures to ensure that Merchant personal data is accessible only to authorized individuals for legitimate business purposes, even if Merchants have access to view their own data through a Softify app. Access controls, such as multi-factor authentication and role-based access controls, are implemented to limit access to sensitive data only to those who require it for their job functions. Softify also provides training to its employees on the significance of data privacy and security and mandates strict guidelines and procedures when accessing and handling Merchant personal data.

Before collaborating with a new third party that could access Merchant personal data, Softify assesses the third party's data security standards using a risk assessment to determine their qualification. If Softify deems it necessary, it will continuously monitor the third party to meet its information security standards. This includes implementing measures that mirror Softify's assistance obligations towards Merchants as outlined in the Data Processing Addendum.

ANNEX C contains supplementary terms.

This additional section, known as the Annex, should be considered in conjunction with the Standard Contractual Clauses. Any mention of the term "Clauses" within this Annex should be interpreted as a reference to the Standard Contractual Clauses.

Under this Annex, the data subject is authorized to enforce Paragraph 2 and Paragraph 4 against the data importer as a third-party beneficiary. This enforcement can be done in accordance with Clause 3 of the Standard Contractual Clauses.

The party importing the data is required to provide reasonable assistance to the party exporting the data to facilitate ongoing assessments of the adequacy of personal data protection in accordance with applicable data protection laws.

If the data importer receives a legally binding order or request from a government or law enforcement agency to disclose personal data, they will comply with the request in accordance with Clause 15 of the Standard Contractual Clauses. The data importer will also notify the data exporter of the request, unless legally prohibited from doing so. If the data exporter decides to challenge the request, the data importer will provide reasonable assistance to the data exporter, taking into account the nature of the request and the available information. The data importer will also comply with any reasonable instructions provided by the data exporter to respond to the request.