This Data Processing Agreement including its annexes, schedules, and appendices (“Agreement”, “Data Processing Agreement,” or “DPA”) will be effective and replace any previously applicable data processing terms and shall supersede all other terms related to data processing between the Parties.

Between:

1) User, a company incorporated under the laws of the Data Controller Country with its User Registered Address (the “User”, “Data Controller” or the “Controller”); and

2) AfterShip (“AfterShip”, the “Data Processor” or “Processor”);

(each a “Party” and collectively the “Parties”).

Recitals

A. Data Controller provides goods and/or services to End-Users. Data Controller acts as the controller of Personal Data in the course of providing goods and/or services to End-Users.

B. Data Processor will process Personal Data on Data Controller’s behalf so that Data Processor may provide Services to Data Controller pursuant to the Main Agreement (the “Purpose”), and Data Controller will make Personal Data available to Data Processor for the Purpose.

C. The Parties agree that the provision of Data and the processing activities thereto shall comply with the provisions of this Agreement.

1. Details of the Processing Operations

1.1 Data Processor will process, use, modify, collect and store the Personal Data within the meaning of Applicable Data Protection Laws as described in Schedule B. The appointed contact person for Data Processor is AfterShip’s Data Protection Officer.

1.2 Data Processor will process Personal Data during the provision of the Services for Data Controller, as long as necessary to fulfil the Purpose and extended to the extent required by law to meet any legal retention periods or in connection with Personal Data related to acts which can have legal effects which shall be stored for evidentiary purposes for the duration of the statute of limitations. Personal Data will be retained by AfterShip based on Controller’s instructions and AfterShip retention policy.

1.3 The processing, including processing operations and relevant instructions from Data Controller to Data Processor are set forth in Schedule B. The Parties agree that this DPA constitutes a set of documented instructions from Controller to Processor.

1.4 If User acts as a data processor to another data controller regarding Personal Data processed under this DPA, the following shall apply:

  1. 1.4.1 User shall warrant, on an ongoing basis, that the relevant data controller has expressly authorized User, in writing, to (i) appoint AfterShip as data subprocessor of the Personal Data and the instructions set forth in this DPA, (ii) effect the Personal Data Transfers, and (iii) authorize AfterShip’s engagement of the Authorized Subprocessors;
  2. 1.4.2 Sections 2.1, 2.2.1 of the DPA shall not apply;
  3. 1.4.3 User shall immediately forward to the relevant data controller any notice provided by AfterShip under Sections 3.2.3 (breach notification), 6.1 (opportunity to object to Authorized Subprocessor changes), or that refers to any EU SCCs;
  4. 1.4.4 User may make available to the relevant data controller any information made available by AfterShip under Schedule A and with respect to the Authorized Subprocessors and Authorized Carriers;
  5. 1.4.5 Notwithstanding anything to the contrary in the Agreement or in this DPA, User shall indemnify and hold AfterShip harmless from and against any and all actions, demands, liability, claims, damages, losses, penalties, fines and expenses including attorneys' fees and court costs, made by any data subject, any data controller or any other third party, due to, arising out of, resulting from or in connection with (i) an action or omission committed by AfterShip, to the extent that such action or omission resulted from User’s (or any data controller’s) instructions to AfterShip; (ii) User’s failure to comply with this Section 1.4; or (iii) User’s failure to comply with its obligations as data processor under Applicable Data Protection Laws or any agreement with any data controllers.
  6. 1.4.6 Excluding this Section 1.4, any reference to “Data Controller” or “Controller” in this DPA shall be replaced by “Data Processor” and “Processor”;
  7. 1.4.7 Excluding this Section 1.4, any reference to “Data Processor” or “Processor” in this DPA shall be replaced by “Data Subprocessor”;
  8. 1.4.8 The EU SCCs (processor to processor) shall apply to the Processing instead of the EU SCCs (controller to processor).;

2. Obligations of Data Controller

2.1 General

  1. 2.1.1 The Controller determines the purposes and means of Personal Data processing.
  2. 2.1.2 The Controller shall abide by any Applicable Data Protection Laws.
  3. 2.1.3 The Data Controller acknowledges that with respect to Personal Data provided under this DPA, it shall:
  1. implement appropriate technical and organizational measures to ensure that processing is performed in accordance with Applicable Data Protection Laws, as well as demonstrate such;
  2. establish a procedure for data subjects to their rights under Applicable Data Protection Laws with respect to Personal Data collected;
  3. only process Personal Data which is lawfully and validly collected and ensure that such Personal Data is relevant and proportionate to the Purpose;
  4. process and collect Personal Data lawfully, including obtaining the necessary consents and acknowledgements when required;
  5. meet all transparency obligations, including notifications to data subjects of possible international transfers and recipients of Personal Data and demonstrate the compliance with such transparency obligations;
  6. Eimplement technical and organizational measures to protect Personal Data against accidental, unauthorized or unlawful (i) destruction, (ii) loss, (iii) alteration, (iv) disclosure, or (v) access, as well as ensuring a level of security at least commensurate with industry standards and the requirements of Applicable Data Protection Laws; and
  7. Excluding this Section 2.4, any reference to “Data Processor” or “Processor” in this DPA shall be replaced by “Data Subprocessor”;
  8. take all necessary steps to comply with Applicable Data Protection Laws and this DPA, including Controller’s Personnel and by any other person accessing, processing, transferring or using Personal Data on its behalf.

2.2 Legal Basis and Storage

  1. 2.2.1 Data Controller shall choose which categories of AfterShip Services will be provided in connection with the End-Users. The Controller shall also determine the legal basis for Personal Data processing, as well as ensure transparent communication of such to End-User.
  2. 2.2.2 Data Controller acknowledges that, for applicable categories of AfterShip Services, AfterShip may use cookies, pixels and web-beacons and other tools as further described in Schedule B and in the Documentation (“Cookies”) and that that it is necessary to provide the requisite notices and measures to ensure proper collection of End-User consent in connection with such Cookies.
  3. 2.2.3 Data Controller acknowledges that some AfterShip Services require the tracking of End-User behaviour, as described in Schedule B and the Documentation, and Controller represents and warrants that it has conducted the requisite legal analysis with respect to Applicable Data Protection Laws to ensure that said tracking is in compliance with Applicable Data Protection Laws. </ li>

3. Obligations of Data Processor

3.1 Data Processor shall comply with Applicable Data Protection Laws which apply to the provision of the Services.

3.2 Data Processor shall:

  1. 3.2.1 assist Data Controller, as reasonably possible, with responding to data subject requests under Applicable Data Protection Laws; provided that Data Processor may charge an additional administrative fee for such assistance;
  2. 3.2.2 assist Data Controller in complying with Applicable Data Protection Laws concerning: (i) security of processing, (ii) notification of Personal Data breaches to supervisory authorities and data subjects, where applicable, (iii) conducting data protection impact assessments, if required; and (iv) consulting with supervisory authorities, where necessary;
  3. 3.2.3 notify the Data Controller of any Personal Data breach within seventy-two (72) hours of becoming aware of it, unless the breach is unlikely to pose a risk to the rights and freedoms of individuals.;
  4. 3.2.4 ensure that only personnel strictly necessary to fulfil the Data Processor's obligations under this agreement have access to Personal Data and that such personnel are subject to confidentiality obligations;
  5. 3.2.5 upon termination of the agreement or the provision of services, and at the choice of the Data Controller, either delete or return all Personal Data, unless applicable law requires otherwise; provided however, that Processor may retain Personal Data solely for archival and backup purposes, in accordance with Processor’s data retention policies, which will (i) not exceed the period necessary to fulfill these purposes or as required by Applicable Data Protection Laws, and (ii) be securely stored, access-restricted, and deleted upon expiry of such retention period; and
  6. 3.2.6 provide Data Controller with sufficient information to demonstrate compliance with these obligations.

3.3 Audits. Processor may use external auditors, from time to time, to verify the adequacy of its Personal Data processing security measures (each an “Audit”). Audits are performed at least once annually at Processor’s expense by an independent auditor selected at Processor’s discretion, such auditor delivering a confidential audit report (an “Audit Report”). Upon Controller’s written request (and no more than once per annum), Processor will make available to Controller a copy of the most recent Audit Report. Controller agrees that the Audit Report satisfies any audit right granted by Applicable Data Protection Laws. If an Audit Report does not provide the sufficient necessary information or Controller is required to respond to a regulatory authority audit for which the Audit Report is not sufficient, then the Controller shall notify Processor at least ten (10) business days in advance, and the Parties shall develop a jointly agreed-upon audit plan that includes: (a) appointment an independent third party auditor; (b) the necessary access period during business hours; (c) billing to Controller at Processor's then-current rates; (d) occurs no more than once annually; and (f) restricts its findings to only data relevant to Controller. All information disclosed pursuant to this clause shall be treated as Confidential Information.

3.4 Data Processor represents and warrants to process all Personal Data in accordance with Applicable Data Protection Laws.

3.5 Data Processor shall implement the appropriate technical and organizational measures set forth in Schedule A.

3.6 Any and all unreasonable expenses for compliance with the obligations set forth above DPA shall be borne by Data Controller.

4. Personal Data Transfers

4.1 Data Processor shall only process Personal Data on documented instructions from Data Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Applicable Data Protection Laws to which Data Processor is subject. For purposes hereof, this DPA serves a set of documented instructions from Controller to Processor.

4.2 The Data Controller authorizes Data Processor to transfer Personal Data to its Authorized Subprocessors and/or Authorized Carriers, including transfers to countries outside the Data Controller's country. For EU, Swiss, or UK Data Controllers, this includes transfers outside the EEA, Switzerland, or the United Kingdom.

4.3 Before transferring Personal Data to a country different from where it was first collected, the Data Processor will take reasonable measures to comply with Applicable Data Protection Laws, including implementing appropriate safeguards where required.

4.4 Restricted Transfers outside the EEA and Switzerland:

  1. Where User is a Controller of the Personal Data protected by GDPR, then (i) Module 2 of the EU SCCs applies between User as "data exporter" and AfterShip as "data importer" on the following basis: (ii) in Clause 7, the optional docking clause will apply, (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be as set out in Section 6 of this DPA; (iv) in Clause 11, the optional language shall not apply, (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Belgian law, (vi) in Clause 18(b), disputes shall be resolved before the French speaking courts of Brussels, (vii) For Annex 1, Parties’ addresses, contact details, etc. are described in the definitions of the Parties provided in this DPA; the appointed contact person for the Processor is described in Section 1 of this DPA; the description of the transfer is set forth in Section 1 and Schedule B of this DPA, the competent supervisory authority shall be defined in accordance with clause 13 of the EU SCCs; (viii) Annex 2 to the EU SCCs will be deemed to incorporate Schedule A to this DPA and (xi) Annex 3 to the EU SCCs will be the Authorized Subprocessors and Authorized Carriers. Where User is a Controller of Personal Data protected by the Swiss DPA, then Module 2 of the EU SCCs applies between User as “data exporter” and AfterShip as “data importer” on the preceding basis and additionally: (i) in Clause 13 the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commission; (ii) the term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c), (iii) all references to GDPR in this Addendum are also deemed to refer to the Swiss DPA, and (iv) the EU SCCs also protect the Personal Data of legal entities until such time as a revised Swiss DPA enters into force.
  2. Where User is a Data Processor to another Controller, Section 4.4.b. shall consist in all the clauses provided in Section 4.4.a. excluding clause (i) which shall be deleted and replaced in its entirety by the following paragraph: “Module Three (Processor to Processor) of the EU SCCs apply where the User is Data Exporter and AfterShip is Data Importer.”

4.5 Restricted Transfers outside the United Kingdom:

  1. In respect of Personal Data subject to UK GDPR, the Parties agree (i) to rely on the Applicable EU SCCs as completed in Section 4.4 and as amended by the UK Addendum, (ii) the details shall be deemed to be completed as set forth in Section 4.4.a., (iii) the UK SCCs shall be incorporated by this reference and form an integral part of this DPA and that (iv) Data Controller shall be “Data Exporter” and Data Processor shall be “Data Importer”.
  2. The Applicable EU SCCS will have the following modifications (i) Table 1 of the UK Addendum shall be populated as follows: “Start date: As set forth in the Main Agreement, Parties’ details: as set forth in this DPA and in the Main Agreement; and Key Contact: See Section 2 of this DPA and/or the Main Agreement”; (ii) Table 2 (“Addendum EU SCCs”) of the UK Addendum refers to the EU SCCs as defined in this DPA with details and applicable clauses described in Section 4.4; (iii) Table 3 of the UK Addendum shall be populated as follows: “The “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in: Annex 1A: List of Parties: as defined in the DPA, Annex 1B: Description of Transfer: as set forth in Schedule B and other sections of the DPA, Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: as set forth in Schedule A of the DPA, Annex III: list of Sub processors: Authorized Subprocessors and Authorized Carriers, and (iv) in Table 4 of the UK Addendum, either party may end the UK Addendum in accordance with its terms and the respective box for each is deemed checked.
  3. Mandatory Clauses: the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of UK GDPR on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

5. US Consumers

This Section applies when US Data Protection Laws are applicable to the Personal Data processed under this DPA. Terms such as “Business Purpose,” “Commercial Purpose,” “Deidentified,” “Sell,” “Sale,” “Service Provider,” and “Share” shall have the meanings given to them in US Data Protection Laws, and “Share” shall follow its definition under the CCPA.

5.1 Data Processor Obligations. When processing Personal Data subject to US Data Protection Laws, Data Processor will:

  1. 5.1.1 retain, use, and disclose Personal Data solely for providing the Services and not for any other purpose, including Commercial Purposes, outside its direct business relationship with the Data Controller, unless otherwise permitted by US Data Protection Laws;
  2. 5.1.2 not Sell or Share Personal Data;
  3. 5.1.3 not combine Personal Data with other data collected from different sources unless required for the Services, with consent or direction from the Data Controller, or as otherwise permitted by US Data Protection Laws;
  4. 5.1.4 in connection with Personal Data processing: (i) comply with applicable Service Provider obligations under US Data Protection Laws, including maintaining the same level of privacy protection as required by the Data Controller, and (ii) notify the Data Controller if unable to meet these obligations;
  5. 5.1.5 only engage Authorized Subprocessors in compliance with US Data Protection Laws under a contract requiring protections comparable to this DPA;
  6. 5.1.6 upon reasonable notice and subject to confidentiality obligations, assist the Data Controller with verifying that the Data Processor’s use of Personal Data aligns with the Data Controller’s obligations under US Data Protection Laws;
  7. 5.1.7 upon request, provide a reasonable report assessing the Data Processor’s policies and technical/organizational measures to support compliance with US Data Protection Laws, using a recognized control standard or framework; and
    8. 5.1.8 upon termination of the DPA, (i) promptly delete or Deidentify Personal Data in compliance with US Data Protection Laws and (ii) upon request, return such Personal Data to the Data Controller within 60 days of termination.


5.2 Data Controller Obligations. When processing Personal Data subject to US Data Protection Laws, the Data Controller represents and warrants that it shall::

  1. 5.2.1 obtain all necessary consents, rights, and authorisations, and provide required notices to individuals for disclosing Personal Data to the Data Processor under US Data Protection Laws;
  2. 5.2.2 not share Personal Data of individuals who have exercised an opt-out that the Data Controller has committed to honour;
  3. 5.2.3 not share sensitive data of US Consumers without their consent for such processing.;
  4. 5.2.4 inform the Data Processor of any rights requests made to the Data Controller and provide information necessary for the Data Processor to fulfil its obligations under US Data Protection Laws; and
  5. 5.2.5 remain solely responsible for its compliance with US Data Protection Laws.

5.3 The Parties agree that: (i) the existence of this DPA does not constitute an admission that sharing Personal Data constitutes a Sale or Share; and (ii) the Data Processor does not provide monetary or other valuable consideration to the Data Controller in exchange for Personal Data.

6. Authorized Subprocessors

Data Processor may engage Authorized Subprocessors to perform processing activities under this DPA. Any changes to Authorized Subprocessors will be notified to Data Controller, who may object within fifteen (15) days by contacting privacy@aftership.com with a reasonably justified objection. If no agreement is reached after a reasonable effort, Data Processor may terminate the Services immediately without liability or further notice, overriding any conflicting provisions in this DPA or Main Agreement. Data Processor shall ensure that Authorized Subprocessors are contractually bound to provide data protection obligations equivalent to this DPA. Data Processor remains liable for any failure by its Authorized Subprocessors to meet their obligations.

7. Authorized Carriers

7.1 Data Processor is authorized to transfer Personal Data to, and receive Personal Data from, Authorized Carriers for the performance and enhancement of the Services. Data Controller acknowledges that Authorized Carriers are independent controllers of the Personal Data. Authorized Carriers are not considered subprocessors or subcontractors of Data Processor under Applicable Data Protection Laws. Data Processor shall not be liable for processing activities performed by Authorized Carriers.

7.2. Provision and processing of User supplied Personal Data by Data Processor to an Authorized Carrier, and information that flows therefrom, shall (i) constitute an essential part of the Services and (ii) form part of the User’s instruction to Data Processor.

8. Support

For Support Access, Data Processor’s personnel may require access to User’s account using login credentials provided by the User, which may include Personal Data. If Support Access is deemed necessary, User authorizes Data Processor to enable Support Access and agrees to provide the required credentials. Certain data processing may only occur with Support Access; if revoked, Data Processor may be unable to process the affected data. User retains the right to deactivate Support Access at any time via account settings. If deactivated, Data Processor shall not be liable for the inability to provide Services requiring Support Access.

9. AfterShip Package Tracker App

Services provided through the AfterShip Package Tracker App operate independently of the Main Agreement. Processing of Mobile App Data upon AfterShip Customer’s request is not subject to this DPA. Mobile App Data processed via the AfterShip Package Tracker App is controlled by AfterShip as an independent controller. The User acknowledges AfterShip’s independent controller role for processing data under the App.

10. Limitation of Liability and Indemnity

All limitations of liability and indemnity provisions from the Main Agreement apply to this DPA, except for Section 1.4.5, which remains unaffected.

11. Other Provisions

11.1 This DPA is governed by the governing law of the Main Agreement, and any disputes shall be resolved exclusively in accordance with the Main Agreement. In the absence of any such provision in the Main Agreement, the laws of the Republic of Singapore shall apply, without reference to conflicts of law principles, and the courts of Singapore shall have exclusive jurisdiction.

11.2 This DPA, along with its schedules and annexes, constitutes the entire agreement and supersedes all prior agreements on its subject matter.

11.3 If any conflict arises between this DPA and the Main Agreement, the DPA shall prevail, and if conflicts arise between this DPA and the Applicable EU SCCs or UK SCCs, the SCCs shall prevail.

11.4 Pursuant to Article 27 of the GDPR, AfterShip has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You may contact EDPO regarding matters pertaining to the GDPR:

  • by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
  • by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
  • with copy to AfterShip’s Data Protection Officer, by email or mail, respectively at dpo@aftership.com or WeWork, Paseo de Gracia 17, 08007 Barcelona, Spain.

11.5 For purposes of the PDPA, AfterShip’s Data Protection Officer may be contacted, by email or mail, respectively at dpo@aftership.com or 120 Robinson Road #13-01, Singapore 068913.

12. Definitions

Capitalized terms used in this Agreement but not defined herein shall have the meaning (i) ascribed to them in the Main Agreement or, if not defined in said document(s), (ii) given to such terms in Applicable Data Protection Laws. For purposes of the DPA, the following terms shall have the following meanings:

AfterShip Customers means any and all End-Users which are AfterShip customers and use the AfterShip Package Tracker App.

Applicable Data Protection Laws means all data protection and privacy laws applicable to the Personal Data and processing activities in the framework of the Services and DPA including, as applicable: (i) the General Data Protection Regulation (2016/679) (“GDPR”), (ii) the US Data Protection Laws, (iii) the UK Data Protection Act 2018 (“UK GDPR”), (iv) the Swiss Federal Act on Data Protection 1992 (“Swiss DPA”), (v) the Singapore Personal Data Protection Act 2012 (“PDPA”) and (v) any and all data protection laws and regulations applicable to Personal Data covered under this DPA, in each case as amended, superseded or replaced from time to time.

Applicable EU SCCs means either (i) the EU SCCs in Section 4.4.a.(1) or (ii) in case Section 1.4 is applicable, the EU SCCs in Section 4.4.b.

AfterShip Package Tracker App means the mobile software application of AfterShip which AfterShip Customers use to allow them to access, manage and process their Mobile App Data.

Authorized Carriers means the carriers set forth at https://docs.aftership.com/api/4/supported-couriers, each of which is an independent controller of relevant Personal Data and to which Data Processor is authorized to transfer Personal Data.

Authorized Subprocessors means (i) the subprocessors set forth at https://www.aftership.com/legal/subprocessors, and (ii) any AfterShip Affiliate, each of which is expressly authorized by Data Controller to process the Personal Data under this DPA.

Data Controller Country means the country under which Data Controller is incorporated as included in its User Registered Address.

EEA/Swiss/UK Adequate Countries are all countries (i) in respect of Personal Data which is subject to the GDPR, the European Economic Area (“EEA”) and any other territory which the European Commission has determined ensures an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR, (ii) in respect of Personal Data which is subject to the Swiss DPA, any country which is recognized to provide adequate protection by the Swiss Federal Data Protection and Information Commission and (iii) in respect of Personal Data which is subject to the UK GDPR, the United Kingdom and any other territory which the UK Secretary of State has by regulations specified ensures an adequate level of protection for Personal Data pursuant to Article 45 of the UK GDPR and Section 17A of the UK Data Protection Act 2018.

EU SCCs means the standard contractual clauses approved by the European Commission in the decision annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 as may be amended, superseded, or replaced from time to time and available here.

Main Agreement means all relevant agreements and/or terms applicable to the Parties in connection with AfterShip Services including, as applicable, the AfterShip Terms of Service, the Master Services Agreement, the Subscription Plan, and/or the Work Order, whichever are being applicable between the Parties.

Mobile App Data means any Personal Data included in the following categories of Personal Data as defined in Schedule B: Shipping Information, Order Information, End-User Information, Tracking Information, End-User Behavioral Data, Shopping Cart Information, Checkout Information, Product Review Information and Shipment Review Information.

Restricted Transfer means a transfer of Personal Data that is subject to GDPR, Swiss DPA and/or UK GDPR respectively outside of the EEA/Swiss/UK Adequate Countries.

Support Access means access by Data Processor Personnel to User's account, credentials, systems, or Personal Data for the purpose of providing support, debugging, assistance, or as otherwise required to deliver the Services.

UK SCCs means the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR as may be amended, superseded, or replaced from time to time and include the UK International Data Transfer Addendum (the “UK Addendum”).

US Consumer means an individual that is a “consumer” as defined under US Data Protection Laws.

US Data Protection Laws means the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, and other similar comprehensive state privacy laws that place obligations on a controller in relation to Personal Data (as defined under such laws), and any relevant regulation, rule or other binding instrument which implements such laws, in each case as applicable and in force, and as amended, superseded, or replaced from time to time.

SCHEDULE A

Technical and Organizational Security Measures


In accordance with Clause 4 of the DPA, Data Processor will maintain appropriate organizational and technical security measures to protect the Data against unauthorized access, loss, alteration, disclosure, destruction, or other unlawful processing, particularly during transmission over a network. In determining these measures, Data Processor will consider the state of the art, implementation costs, processing context, and the risks to individuals’ rights and freedoms. The specific security measures are outlined below:

Category Subcategory Relevant Security Issue AfterShip Implementation
Privacy / Security Data Retention and Storage Data storage All data, including collected personal data, are stored in the cloud through the cloud services as shown in the Authorized Subprocessors’ list. The location of the data centres is further described in the Authorized Subprocessors list.
Privacy / Security Data Retention and Storage Personal data retention and erasure There are defined retention periods for collected personal data. If the personal data are no longer required to be retained, they are systematically destroyed and/or anonymized.
Security Access Control Management Implemented password policies, password controls Encryption / hashing of passwords AfterShip has implemented internal password policies to specify security requirements and avoid employees using weak passwords. 2FA authentication is enabled to enforce account security. When stored by AfterShip, passwords are hashed by SHA-1 or SHA-256 algorithm with a random salt.
Security Access Control Management Immediate removal of access rights for users leaving the organization Employee off-boarding procedures are in place to ensure employees' access rights are removed when leaving.
Security Business Continuity Management Backup policies and frequency Daily backup performed by cloud services at primary and secondary data centres
Security Business Continuity Management Disaster recovery sites in multiple/diverse geographic locations The data centres hosting the cloud services are located in different locations to reduce risks of data loss..
Privacy / Security Governance Security awareness training program currently in place: topics and frequency Security awareness training is implemented when onboarding employees.
Main topics covered during the training include namely: general obligations under various information security policies, standards, procedures, guidelines, applicable security related laws and regulations, contractual terms and standards of ethics and acceptable behaviour.
Privacy / Security Incident Response Management Incident response procedures in placeExistence of a team with defined roles and responsibilities Existence of communication procedures regarding security incidents such as data breachesNotification timeframe regarding third parties Data breach response team and plan are in place (Detect, Contain, Analyze, Notify, Respond, Document, Learn)
Data breach response team checklist, with definedroles and responsibilities. Data security vulnerabilities are acknowledged within 24 hours after notification.


SCHEDULE B


  1. How AfterShip Collects Personal Data

AfterShip collects the Personal Data through the following means: (i) AfterShip API; (ii) User communications; (iii) the Authorized Carriers systems (e.g., API, web-crawlers); (iv) Cookies (e.g., cookies, pixels, web beacons on the User’s website); and (v) platform integrations ((e.g., Shopify, Magento, TikTok APIs or webhooks).

  1. Cookies, Pixels and Web Beacons' Management

When Cookies are used as outlined in Section 7 of this Schedule B, the following applies: (i) AfterShip uses End-Users’ IP addresses to identify whether they fall under the EU GDPR, Swiss DPA, UK GDPR, or CCPA; (b) Users are responsible for implementing consent mechanisms (e.g., cookie banners, privacy policies) to comply with Applicable Data Protection Laws, including but not limited to GDPR, Swiss DPA, UK GDPR, and CCPA for End-Users in relevant jurisdictions; (iii) For Shopify Users with the Shopify cookie banner installed, AfterShip will implement Cookies for the European Union, Switzerland, the United Kingdom, and California; non-Shopify Users must ensure their own consent mechanisms are in place, as AfterShip cannot verify consent in such cases; and (iv) Users may contact AfterShip customer support at support@aftership.com for any Cookie-related queries.

  1. Description and Nature of Processing Activities and Services
Service Description Category of Services Description of the Processing Activities and the Service
AfterShip Tracking Tracking (API)

Service that enables Users to retrieve tracking information from AfterShip API
AfterShip Tracking Tracking (Platform)

Service that enables Users to provide a tracking experience to End-Users:
- to retrieve tracking information from AfterShip
- to manage the delivery status of all shipments- to monitor shipping performance
- to customize tracking experience
AfterShip Tracking Branded tracking page

Service that enables Users to provide branded parcel-tracking page to End-Users
AfterShip Tracking AI Recommendation

Service that enables Users to provide product recommendation to End-users
AfterShip Tracking Email and SMS notifications

Service that enables Users to send delivery emails or SMS notifications to End-Users and to customize notification experience
AfterShip Tracking Notifications revenue

Service that enables Users to analyse the potential gross revenue indirectly generated from email notifications when End-user purchases an item after clicking on the link received in the email notification (may also include the conversion rate)
AfterShip EDD AI-Predictive Estimated Delivery Date Widget

Service with the following features:
- AI model will detect consumers' IP address for providing Estimated Delivery Date (EDD)
- provides city-to-city level of accuracy
- estimated delivery date shown on product page and checkout page

AfterShip EDD AI-Predictive Estimated Delivery Dates

Service with the following features:
- to provide estimated delivery dates
- to show estimated delivery dates on AfterShip Tracking, Branded tracking page and Notifications services
- to provide delays notifications

Shipping N/A

Service which enables User:
- to generate and print shipping labels
- to calculate and compare shipping rates
- to manifest (i.e. send data to Authorized Carriers)
- to view shipping performance- to manage all carrier account information in one place

AfterShip Returns Returns Centre

Service which enables User:
- to provide a branded returns experience to End-Users
- to send returns status updates notifications to End-Users
- to manage all returns request in one place
- to monitor returns performance- to customize returns and notification experience

AfterShip Returns Returns page

Service which enables Users to provide a returns page to End-Users
AfterShip Parser Parser

Service which enables User to use (i) email detection services in order to detect whether an email includes relevant Order Information and (ii) email parsing services which consist in extracting the categories of data defined in this Data Processing Agreement from the Data.
AfterShip Protection Protection

Service provided to Users to provide potential protection from lost, damaged, or porch pirated packages to End-Users; Insurance Provider is UPSCIA (as defined in the applicable AfterShip Protection terms)
AfterShip Protection Protection widget

Service to enable End-Users to subscribe to AfterShip Protection services in the cart or checkout pages
AfterShip Email Tracking Notification

Service which enables Users to send delivery emails to End-Users and to customize notification experience
AfterShip Email Marketing

Service which enables Users to:
- to manage their newsletters and newsletter’s subscriptions
- to create discount coupon codes through subscription to newsletters
- to send email newsletters and automated emails for marketing purposes
- to manage contacts and identify target customer segments - to issue and manage discount coupon codes

AfterShip SMS Tracking Notification

Service which enables Users to send SMS notifications to End-Users and to customize notification experience
AfterShip SMS Marketing

Service which enables Users:
- to send SMS and automated SMS for marketing purposes
AfterShip Popups & Forms Popups & Forms

Service with features that enable Users:
- to manage discount coupon codes through subscription to newsletters and other means
- to show website popups and forms on their websites </p?
AfterShip Popups & Forms Conversion tools

Service to Users with features that enable Users to:
- show website popups, sales popups, and announcement bars on their websites
- change website storefront easily (e.g. add a sales sticker on image)
- send web push notifications - add an instant search bar to their website
AfterShip Popups & Forms Recommendations

Service provided to Users with features that enables End-users to find products easily with personalized product recommendations
AfterShip Page Builder Page builder

Service to Users with features that enable them:
- to build conversion pages with abundant page features
- to list their stores' products
- to list their stores' product collections
- to obtain website analytics (visitors count, added to cart count, or other statistics)
AfterShip Page Builder Sections processing End-user Information

Service to Users with features that enable:
- End-users to subscribe to merchant's newsletters
- End-users to get discount coupon codes through subscription to newsletters and other means
- Users to send email newsletters and automated emails for marketing purposes
- Users to manage contacts and identify target customer segments
- End-users to send feedback to merchants to build relationship
- Users to receive feedback from End-Users
AfterShip Page Builder Best sales

Service enabling Users to provide hot sales or product recommendations to End-Users
AfterShip Reviews Reviews

Service to Users which contains the following features:
- End-users to check previous reviews of applicable store
- End-users to submit their reviews and NPS feedback to merchants
- End-users to get discount coupon codes through submitting and sharing reviews
- Users to collect reviews from End-Users
- Users to send emails for collecting reviews and NPS feedback
- Users to manage reviews and NPS feedback
- Users to add review widgets to their website
- Users to manage referral programs
- Users to show the reviews on Google and on other sales channels
AfterShip Reviews Based on AfterShip Tracking events

Service to Users with features that enable them to send a review request email when AfterShip tracking update event is triggered
AfterShip Referral Referral

Service to Users with features that enable:
- Users to show referral program signup widget on their websites
- End-users to join referral programs and share referral links
- End-users to visit a website via referral links
- End-users to get rewards after they refer someone
AfterShip Referral Affiliates

Service to Users with features that enable:
- Users to show referral program signup widget on their websites
- affiliates (referees) to join affiliate programs and share affiliate links.
- End-Users to visit a website via affiliate links.
- affiliates (referees) get rewards after they refer someone to make purchases.
- Users to see the website analytics (visitors count, added to cart count, or other statistics)
AfterShip Personalization Personalization

Service with features that enable Users to provide product recommendation to End-users
Shipment Reviews Shipment reviews

Service allowing End-Users to provide shipment reviews to Users
Apple Wallet Order Tracking Apple Wallet

Service that enables Users to provide their End-Users with the possibility to import tracking and parcel information into their personal Apple Wallet
AfterShip Warranty Warranty

Service which provides Users a tool to give a warranty experience to End-Users, including, but not limited to, tracking the returns and providing email notifications
AfterShip Warranty Branded Warranty Page

Service that enables Users to branded parcel-warranty centre to provide to their End-Users
AfterShip Support Access AfterShip Support Access

Support service where AfterShip accesses your Account for support, debugging and assistance
AfterShip One AfterShip One

All-in-one service provided where User will receive access to use the platform and subscribe to any and all Features as subscribed by User in accordance with the Main Agreement.
  1. Categories of Data Subjects

End-Users (all categories)

Parcel Recipients (name, signed by name, link to the proof of delivery, proof of delivery file*)

*Proof of delivery files are only provided if AfterShip has: (i) Support Access, and/or (ii) a data processing agreement with the applicable Authorized Carrier, including adequate instructions (e.g., retention periods) in compliance with Applicable Data Protection Laws.

  1. Frequency of the Personal Data processing and transfer (if any transfer)

Continuous

  1. Authorized subprocessors and recipients

    • Authorized Subprocessors
    • Authorized Carriers

  2. Categories of Personal Data processed by category of Services

See tables below.

AfterShip Tracking AfterShip EDD AfterShip Shipping AfterShip Returns AfterShip Protection AfterShip Parser AfterShip Warranty AfterShip Warranty Apple Wallet Order Tracking
Category of Personal Data Details Tracking (API) Tracking (Platform) Branded tracking page AI Recommendation Notifications revenue AfterShip EDD AfterShip EDD (Widget) Shipping Returns Centre Branded returns page Protection Parser Warranty Branded Warranty Page Apple Wallet
Shipping Information tracking number, carrier name, shipping method, box type, parcel weight, ship date, ship from address, shipping address, number of individual packages ✖️ ✖️
Order Information order number, order value, order date, order platform tag, shipping fee, item name, item value, item amount, item link, item number, item variant, item brand, coupon information, order status, transaction id, capture id, order id
End-User Information End-User name, End-User email, end-user phone number, End-User's address, End-User platform account ID ✖️ ✖️ ✖️ ✖️ ✖️
Tracking Information delivery status, delivery location, delivery date, signed by name, expected delivery date, link to the proof of delivery, proof of delivery file ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Label & Rates Information shipping label file, shipping rates, manifest file ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Returns Information returns reason, returns method, resolution type, returns product images, refund amount, returns date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-User Behavioral Data referrer page link, current page link, page consultation start/finish, product views or clicks, adding products to cart, search, functions provided by AfterShip widgets ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-User Browser Information browser type, browser version, os type, os version ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-user IP Address geolocalisation (city, state, region, country) ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Shopping Cart Information shopping cart reference number, item name, item value, item amount, item link, item number, item variant, item brand ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Checkout Information checkout number, checkout value, checkout date, item name, item value, item amount, item link, item number, item variant, item brand, coupon code, discount amount, discount rate, coupon information ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Product Review Information review content, review date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _ama internally generated ID number of the End-User ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _am_id internally generated ID number of the End-User clicking on a link in an email or a SMS ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _am_sid internally generated ID number of the End-user browsing session ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Insurance Information insurance platform, insured amount, premium fee ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Shipment Review Information review content, review date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Warranty Information warranty reason, warranty method, resolution type, warranty product images, refund amount, warranty date, product picture ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Connected Email Information email content, email date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
AfterShip Email AfterShip SMS AfterShip Popups & Forms AfterShip Page Builder AfterShip Reviews AfterShip Referral AfterShip Personalization AfterShip Support Access Aftership One
Category of Personal Data Details Marketing Tracking Notification Marketing Tracking Notification Conversion tools Recommendations Page builder Processing of End-User Data Best sales Reviews Based on AfterShip tracking Referral Affiliates Personalisation AfterShip Support Access
Shipping Information tracking number, carrier name, shipping method, box type, parcel weight, ship date, ship from address, shipping address, number of individual packages ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Order Information order number, order value, order date, order platform tag, shipping fee, item name, item value, item amount, item link, item number, item variant, item brand, coupon information, transaction id, capture id, order id ✖️ ✖️
End-User Information End-User name, End-User email, end-user phone number, End-User's address, End-User platform account ID ✖️ ✖️
Tracking Information delivery status, delivery location, delivery date, signed by name, expected delivery date, proof of delivery (link to the) ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Label & Rates Information shipping label file, shipping rates, manifest file ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Returns Information returns reason, returns method, resolution type, returns product images, refund amount, returns date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-User Behavioral Data referrer page link, current page link, page consultation start/finish, product views or clicks, adding products to cart, search, functions provided by AfterShip widgets ✖️ ✖️ ✖️
End-User Browser Information browser type, browser version, os type, os version ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
End-user IP Address geolocation (city, state, region, country) ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Shopping Cart Information shopping cart reference number, item name, item value, item amount, item link, item number, item variant, item brand ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Checkout Information checkout number, checkout value, checkout date, item name, item value, item amount, item link, item number, item variant, item brand, coupon code, discount amount, discount rate, coupon information ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Product Review Information review content, review date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _ama internally generated ID number of the End-User ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _am_id internally generated ID number of the End-User clicking on a link in an email or a SMS ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Cookie _am_sid internally generated ID number of the End-user browsing session ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Insurance Information insurance platform, insured amount, premium fee ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Shipment Review Information review content, review date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Warranty Information warranty reason, warranty method, resolution type, warranty product images, refund amount, warranty date, product picture ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️
Connected Email Information email content, email date ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️ ✖️