Data Protection Agreement (DPA)

Last updated: 1 April 2023

Data Protection Agreement (DPA)

This Data Protection Agreement ("DPA") is entered into between The Rave LLC ("The Rave," "we," "us," or "our") and the Merchant ("Merchant," "you," or "your"), collectively referred to as the "Parties." This DPA forms part of the Merchant Terms of Service Agreement between the Parties and sets forth the rights and obligations concerning the processing and protection of personal data.

By using our Services, you agree to the terms of this DPA.

1. Definitions

1.1 "Data Controller" means the entity that determines the purposes and means of the processing of personal data.

1.2 "Data Processor" means the entity that processes personal data on behalf of the Data Controller.

1.3 "Data Subject" means an individual who is the subject of personal data.

1.4 "Personal Data" means any information relating to an identified or identifiable natural person (a "Data Subject") that is processed by The Rave on behalf of the Merchant as a result of, or in connection with, the provision of the Services.

1.5 "Processing" means any operation or set of operations performed upon personal data, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

1.6 "Services" means the online payment processing services and related products and services provided by The Rave to the Merchant.

2. Roles of the Parties

2.1 The Merchant, as the Data Controller, appoints The Rave as a Data Processor to process personal data on the Merchant's behalf in connection with the Services.

2.2 The Rave agrees to process personal data only in accordance with the Merchant's instructions, as set out in this DPA, and to implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction.

3. Data Processing

3.1 The Rave shall process personal data solely for the purposes of providing the Services to the Merchant and for any other purposes specifically authorized by the Merchant in writing.

3.2 The Rave shall not process personal data for any other purpose, except as required by applicable law, in which case The Rave shall inform the Merchant of such requirement before processing, unless prohibited by law from doing so.

4. Confidentiality

4.1 The Rave shall ensure that its personnel engaged in the processing of personal data are informed of the confidential nature of the personal data and are bound by appropriate confidentiality obligations.

5. Security

5.1 The Rave shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with the processing of personal data, including measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

6. Subprocessors

6.1 The Rave may engage subprocessors to process personal data on its behalf, provided that The Rave enters into a written agreement with each subprocessor that imposes data protection obligations equivalent to those set forth in this DPA.

6.2 The Rave shall remain responsible for the performance of its subprocessors and for any breach of this DPA by its subprocessors.

7. Data Subject Rights

7.1 The Rave shall, to the extent legally permitted, promptly notify the Merchant of any request by a Data Subject to access, rectify, erase, restrict, or object to the processing of their personal data, and shall cooperate with the Merchant to facilitate the exercise of Data Subject rights under applicable data protection laws.

8. Data Transfers

8.1 To the extent that The Rave processes personal data outside the jurisdiction in which it was collected, The Rave shall ensure that such processing complies with applicable data protection laws and regulations, including by entering into appropriate data transfer agreements, such as the Standard Contractual Clauses or implementing other legally approved mechanisms.

9. Data Breach Notification

9.1 In the event of a personal data breach, The Rave shall, without undue delay, notify the Merchant and provide reasonable cooperation and assistance in order to enable the Merchant to comply with its data breach notification obligations under applicable data protection laws.

9.2 The Rave shall take reasonable steps to mitigate the effects of the personal data breach and to prevent any further breaches from occurring.

10. Data Retention and Deletion

10.1 The Rave shall retain personal data only for as long as necessary to provide the Services, or as required by applicable law or the Merchant's instructions.

10.2 Upon termination of the Merchant Terms of Service Agreement or upon the Merchant's written request, The Rave shall, at the Merchant's choice, either return or securely delete all personal data in its possession or control, unless retention is required by applicable law.

11. Audits and Inspections

11.1 The Rave shall make available to the Merchant, upon reasonable request, information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits or inspections conducted by the Merchant or an auditor mandated by the Merchant.

11.2 Any audits or inspections shall be conducted during regular business hours and with reasonable notice to The Rave, and shall not unreasonably interfere with The Rave's normal business operations.

12. Modifications

12.1 The Rave may modify this DPA from time to time by providing notice to the Merchant. The Merchant's continued use of the Services after receiving such notice shall constitute acceptance of the modified DPA.

13. Governing Law and Jurisdiction

13.1 This DPA shall be governed by and construed in accordance with the laws of the jurisdiction in which the Merchant is located, without regard to its conflict of law principles.

13.2 Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the jurisdiction in which the Merchant is located.

Please find the list of all customer data stored by The Rave and their purposes on the following page: Customer Data and Purposes