Data Processing Addendum

Document version: 1.00.
Version date: 19.09.2025.

This Data Processing Addendum (“DPA”) is effective as of the date of execution of this DPA or the date on which the Agreement (defined below) becomes effective or when amendments to this DPA become effective according to Clause 12.1. (“Effective Date”) by and between Printify, Inc., a Delaware corporation, with registered office at 1000 N. West Street, Suite 1200, Wilmington, Delaware, United States, DE 19801 (“Company”) and the Supplier that provides the Services (“Supplier”), (each, a “Party” and together, the “Parties”). 

A. General provisions

1. The Company and the Supplier have entered into a Supplier Agreement (“Agreement”). For the performance of the Agreement, the Supplier may process Personal Data of Customers of the Company, or other end users of the Company’s services including website visitors if applicable. 
2. This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between the terms of the Agreement and this DPA, the terms of this DPA will prevail. Except as expressly amended herein, the terms of the Agreement remain in full force and effect. Execution of the Agreement is understood by the Parties and shall be deemed as execution of this DPA and if applicable, the appropriate Standard Contractual Clauses (which supersede this DPA with respect to the processing covered by such Standard Contractual Clauses).

B. Definitions

1. In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
   1. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), and its implementing regulations, each as amended from time to time. 
   2. “Privacy Laws” means all laws and regulations, including laws and regulations of the EEA and the United States and its states, applicable to the Processing of Personal Data under the DPA. 
   3. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC;
   4. “Services” means the services and other activities to be supplied to or carried out by or on behalf of the Supplier for the Company pursuant to the Agreement;
   5. “UK GDPR” means the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019;
   6. The terms “controller”, “Data Subject”, “processor”, “Member State”, “Personal Data”, “Personal Data Breach” and “Processing”, “Sub-processor” shall have the same meaning as in the GDPR / UK GDPR.
   7. The terms “Business,” “Business Purpose,” “Sale,” “Share,” “Service Provider,” “Contractor,” and “Third Party” shall have the same meaning as in the CCPA.

C. Processing of Personal Data

1. The Parties agree that with regards to the processing of Personal Data, the Company shall be regarded as the data controller (a Business according to CCPA) and the Supplier shall be regarded as the data processor (a Service Provider according to CCPA). In the event that the Company is acting in the capacity of a data processor (a Service Provider according to CCPA), the Supplier shall be regarded as a data sub-processor, but this does not impact the provisions of this DPA or the respective definitions in relation to the Suppliers Sub-processors.
2. The Supplier shall process Personal Data in a manner consistent with this Agreement, documented instructions issued by the Company from time to time, including this DPA, whether in writing or electronic form (“Instructions”), and to the extent necessary to provide the Services to the Company under the Agreement. If the Supplier cannot provide compliance with the Company’s instructions for whatever reason (including if the instruction violates the Privacy Laws), it agrees to immediately inform the Company of its inability to comply. 
3. The categories of Data Subjects, categories of Personal Data, subject matter, nature, purpose(s), duration and location(s) of Processing and other Processing details are described in Annex I. Supplier agrees that Annex I is a correct and complete description of its Processing of Personal Data. Supplier agrees to notify the Company of any change to the Processing description that is necessary to ensure the description in Annex I is correct and complete.
4. The Supplier processes Personal Data only as necessary to perform its obligations under the Agreement and as further set out in Annex 1 or as otherwise agreed in advance and in writing by the Company. For the avoidance of doubt, unless agreed in writing by the Company, the Supplier shall not be permitted to process the Personal Data for its own purposes. Supplier may, however, Process Personal Data to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.
5. Supplier shall not sell, retain, use, or disclose Company Data for purposes outside of the direct business relationship between Supplier and Company.

D. Duties and obligations of the Supplier

1. The Supplier shall process the Personal Data provided by the Company in compliance with applicable laws, including Privacy Laws.
2. Supplier shall take reasonable steps to ensure that access to Personal Data is strictly limited to those individuals who need to know or access the relevant Personal Data, as strictly necessary for the purposes of the Agreement.
3. Supplier has in place procedures to ensure that all Sub-Processors employees, consultants, or agents it authorizes to have access to the Personal Data:
   1. are under contractual or professional or statutory obligations of confidentiality and maintain the confidentiality and security of the Personal Data;
   2. are obligated to Process the Personal Data only on instructions from the Supplier or as otherwise permitted under Privacy Laws;
   3. have undertaken training on the relevant Privacy Laws relating to handling Personal Data and how it applies to their particular duties and are aware of duties and obligations under the relevant Privacy Laws and this DPA.
4. The Supplier (including its Sub-processors) has implemented appropriate technical and organizational measures at minimum as specified in Annex II of this DPA and shall continue to comply with them during the term of this DPA.
5. Parties acknowledge that the adequacy of the security measures mentioned in Annex II may change over time and that an effective set of security measures demands frequent evaluation and improvement of security measures. The Supplier will therefore frequently evaluate and tighten, increase, or improve such measures according to industry best practice to ensure compliance even if no changes are made to measures listed in Annex II.
6. Supplier will comply with all applicable laws, rules and regulations concerning the use of AI Systems (machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments), including, but not limited to: laws regulating specifically AI Systems, Privacy Laws; marketing and telecommunications laws; intellectual property laws; consumer protection laws; employee protection laws; anti-discrimination and civil-rights laws; laws concerning the use of data sets as inputs for AI Systems; laws and rules related to web-scraping; and laws concerning the use of outputs from AI Systems, as may be adopted, amended, modified, or replaced from time to time.

E. Restricted Transfers

1. Restricted Transfer means a cross-border transfer or other disclosure of Personal Data that is restricted by Privacy Laws because the disclosure is made to a person or entity located in a jurisdiction which a competent government or regulatory authority determines does not ensure the same or higher level of data protection as the jurisdiction from which the Personal Data originates (“Originating Jurisdiction”). 
2. Prior to any Restricted Transfer made by or on behalf of Supplier to a jurisdiction that does not offer equivalent or more protective Privacy Laws for Personal Data (“Destination Jurisdiction”) as the Originating Jurisdiction, Supplier represents that, as and when required by Privacy Laws, (i) Supplier has conducted an assessment (“Transfer Impact Assessment”) of the laws and practices applicable to Supplier and Personal Data Processed by Supplier (or its Sub-processor) in the Destination Jurisdiction and has determined that the laws and practices in the Destination Jurisdiction offer essentially-equivalent or more protective Privacy Laws as the Originating Jurisdiction; and (ii) Supplier will promptly notify the Company if Supplier believes that a change in the Destination Jurisdiction affects the analysis in Supplier’s Transfer Impact Assessment. 
3. Supplier will obtain the prior authorization of the Company prior to any Restricted Transfer by Supplier or a Supplier affiliate to a Sub-processor for Processing in a location that is not included in a prior notification to the Company for authorization of a Sub-processor or that is not detailed in Annex 1. Supplier will ensure and require that each Supplier Sub-processor ensures that all Restricted Transfers comply with requirements set out in this DPA. 
4. Unless the Supplier notifies the Company that a Restricted Transfer is sufficiently covered by a Data Privacy Framework or Binding Corporate rules, the Supplier shall agree to be bound by the relevant Standard Contractual Clauses: 
5. European Union SSCs: The appropriate module set forth in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “SCCs”), as may be amended from time to time, will apply to: (i) any Transfer of Personal Information that is subject to the GDPR to a data importer located outside of the European Economic Area (“EEA”); and (ii) any Transfer of Personal Information that is subject to the laws of a country outside the EEA in which the competent authority has approved the use of the SCCs, including but not limited to Japan and Switzerland, (each, an “Adopting Country”) to a data importer located outside of the Adopting Country.
   1. If the Transfer is from a data exporter acting as a Controller to a data importer acting as a Processor, the transfer will be governed by the SCCs (Module 2 – Controller to Processor).
   2. If the Transfer is from a data exporter acting as a Processor to a data importer acting as a Processor, the transfer will be governed by the SCCs (Module 3 – Processor to Processor).
   3. Where the Transfer relates to Personal Information subject to GDPR, the parties agree:
      1. The contents of Annex I and Annex II to the DPA shall form Annex I and Annex II to the SCCs, respectively.
      2. Clause 7 (Docking Clause) of the SCCs applies.
      3. Before disclosing a copy of the SCCs pursuant to transparency (namely, Clause 8.2 in Module 1, and Clause 8.3 in Modules 2 and 3), the disclosing party must use commercially reasonable efforts to redact all commercial terms but provide a meaningful summary if the data subject would otherwise not be able to exercise their rights as a result of the redaction.
      4. Per Clause 9(a) of the SCCs, the data exporter hereby provides a general authorization (Option 2) for the Processing of Personal Information as set forth in the DPA. The data importer shall specifically inform the data exporter in writing of any intended change to Sub-processors as set forth in the DPA.
      5. For Clause 13 (Supervision), Annex I.C (Supervisory Authority), Clause 17 (Governing law – Option 1), and Clause (18) (Choice of forum and jurisdiction) of the SCCs, the parties elect the supervisory authority, laws, and courts of Latvia.
6. Adopting Countries (e.g., Switzerland, Japan, etc.) SCCs: Where the Restricted Transfer relates to Personal Data subject to the Privacy Laws of an Adopting Country, the parties agree:
7. UK GDPR SCCs: Where the Transfer of Personal Information is subject to the Privacy Laws of the United Kingdom (including the UK General Data Protection Regulation), the parties agree:
   1. The standard data protection clauses, Version A1.0, in force 21 March 2022, issued by the Information Commissioner’s Office (“ICO”) under the UK GDPR (“UK SCCs”), as may be amended from time to time, shall apply in full; and
   2. The contents of Annex I and Annex II to the DPA shall form Tables 1-4 to the UK SCCs.
8. For Restricted Transfers subject to the Privacy Laws of The People’s Republic of China: Where the Transfer relates to Personal Information subject to the Personal Information Protection Law (“PIPL”) of the People’s Republic of China (“China”), the Parties agree that Supplier shall not transfer any Personal Data outside of China, unless Supplier obtains the prior written authorization of the Company (except locations already listed in Annex I and relating to the Sub-processors notified according to this DPA). 
9. Other SCCs: Where the Transfer of Personal Information is subject to a Privacy Law in a jurisdiction that has adopted other standard contractual clauses, model contractual clauses, or functionally equivalent contracts, as a valid international data transfer mechanism, the parties agree:
   1. The mandatory terms applicable to controller-to-processor or processor-to-processor (as appropriate) data transfers shall apply in full;
   2. Annex I to this DPA accurately describes the parties and data processing;
   3. The supervisory authority, governing law, choice of forum and jurisdiction shall be as mandated or the laws where the Personal Data was collected;
   4. Annex II to this DPA (Technical and Organizational Measures) accurately describes the technical, security and other organizational measures; 
   5. The data exporter hereby provides a general authorization for the Processing of Personal Data as set forth in the DPA. The data importer shall specifically inform the data exporter in writing of any intended change to Sub-processors as set forth in the DPA.

F. Data subject requests and assistance to the Company

1. The Supplier has no direct relationship with the Data Subject and shall inform Data Subjects to contact the Company in case it receives:
   1. any requests from an individual with respect to Personal Data processed, including but not limited to requests for access and/or rectification, blocking, data portability and all similar requests; 
   2. any complaint relating to the processing of Personal Data, including allegations that the processing infringes on a Data Subject’s rights under Privacy Laws; or 
   3. any order, demand, warrant, or any other document purporting to compel the production of Personal Data under applicable law. 
2. The Supplier shall immediately notify the Company in case it receives any of the above unless specifically prohibited by any applicable laws and regulations. The Supplier shall not respond to any of the above unless expressly authorized to do so by the Company or as obligated under applicable law or court order. 
3. The Supplier shall reasonably cooperate with and assist the Company with respect to any action taken relating to such request, complaint, order, or another document. As far as reasonably possible and taking into account the nature of the processing, the information available to the Supplier, industry practices, and costs, the Supplier will implement appropriate technical and organisational measures to provide the Company with such cooperation and assistance.
4. The Supplier shall provide the Company with reasonable assistance with regards to:
   1. ensuring compliance with the Company’s obligations pursuant to Privacy Laws;
   2. making available to the Company all reasonable information necessary to demonstrate compliance with Privacy Laws; and
   3. performing the necessary data protection impact assessments and prior consultation procedures as mentioned in Articles 35 and 36 of GDPR / UK GDPR.
5. Supplier will assist the Company in handling an investigation conducted by a competent government or regulatory authority that relates to Personal Data Processed by Supplier. The Company will pay Supplier’s reasonable expenses for its assistance unless the investigation reveals Supplier’s non-compliance with this DPA or Privacy Laws, in which case Supplier will bear all reasonable costs and expense. 

G. Personal Data Breach

1. In case of a Personal Data Breach, the Supplier shall notify the Company without undue delay and not later than 72 hours after becoming aware of a Personal Data Breach. When notifying the Company, the Supplier shall provide:
   1. Description of the nature of the Personal Data Breach including, where possible, the categories and number of Data Subjects;
   2. Name and contact details of the Supplier’s data protection officer or other point of contact where more information can be obtained;
   3. Description of the likely consequences of the Personal Data Breach;
   4. Description of the measures taken or proposed to be taken by the Company to address the Personal Data Breach, including where appropriate measures to mitigate its possible adverse effects.
2. After delivering the notification, Supplier will:
   1. provide regular written reports to the Company on the status of the Personal Data Breach and revise the notification as needed to ensure it is complete, accurate and up to date;
   2. take all necessary steps to document, remediate and minimize the effects of the Personal Data Breach and to prevent recurrence; and
   3. provide, at Supplier’s sole cost, timely assistance and cooperation as reasonably requested by the Company to fulfil its obligations under applicable laws, including with respect to reporting to or informing Data Subjects or competent government or regulatory authorities of the Personal Data Breach.

H. Audit rights

1. Upon the Company’s written request, the Supplier shall provide all  information necessary to demonstrate compliance with obligations laid down in this Agreement and in Privacy Laws. This information shall be provided to the extent that such information is within the Supplier’s control and the Supplier is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
2. If the information provided by the Supplier in the Company’s reasonable judgment is not sufficient to demonstrate the Supplier's compliance with this Agreement, the Supplier agrees to allow for and contribute to data processing audits, provided that any such audit does not involve the review of any third-party data and that the records and information access in connection with such audit are treated as confidential information. 
3. If an audit or inspection reveals non-compliance with this DPA, Privacy Laws then Supplier will undertake all reasonably necessary corrective actions in a timely manner, provide periodic written updates to the Company and certify when all corrective actions are complete. 
4. Such audits are allowed to be carried out by the Company or auditors and agents authorized by the Company. The Company shall bear the costs of any such audit. 
5. The Company may request such an audit once a year or more often if the Supplier has suffered a Personal Data Breach that has affected the Personal Data.

I. Sub-processors

1. The Supplier notifies the Company at least fifteen (15) business days before the Effective Date of the Sub-processors already engaged by the Supplier to perform the Processing, by providing at least the following information about the Sub-processors: legal name, address, data location, contact details, description of the data processing.       
2. The Supplier may add or replace Sub-processors from time to time by a notification at least fifteen (15) business days prior to engagement of the Sub-processor in Processing. 
3. The Company reserves the right to object in writing to a new or replacement Sub-Processor. If Company reasonably objects to a notified Sub-processor, then Company and Supplier will use good faith efforts to agree on a replacement for the Sub-processor or agree on commercially reasonable changes to Services. If the Parties are unable to agree on the replacement within fifteen (15) business days after the date of Company's written objection, then Company may as its sole remedy, terminate the portion of the Services which cannot be provided by Supplier without the use of the objected-to Sub-processor.      
4. By notifying the Sub-processor to the Company, the Supplier certifies that the:
   1. The Supplier has carried out appropriate due diligence to ensure that the Sub-processor is capable of providing an appropriate level of protection for Personal Data and the Supplier is able to furbish supporting information about such a review (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA);
   2. ensure that the arrangement between the Supplier and the relevant Sub-processor is governed by a written agreement including terms which offer at least the same level of protection for Personal Data (including the technical and organizational measures) as those set out in this DPA and meet the requirements of Article 28(3) of the GDPR;
   3. provide to the Company for review copies of such agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as the Company may request from time to time. 

J. Liability

1. Each Party is liable for damages incurred by the other Party which are caused directly by a Party’s breach of the commitments made in this Agreement, subject to the limitations and exclusions of liability agreed in the Agreement.
2. Provided that the Company is not in breach of this Agreement, the Supplier shall indemnify and keep the Company harmless from any claim (including reasonable legal fees) brought against the Company by a third party as a result of a breach by the Supplier of its data protection commitments set in this Agreement. The Company shall notify the Supplier in writing of any claim for which the Company believes it is entitled to be indemnified pursuant to this Agreement. 

K. Term and termination of Agreement and deletion of Personal Data

1. This DPA shall take effect as of the entering into the Agreement and continue in full force and effect until the termination of the Agreement, after which this DPA will automatically simultaneously terminate, with the exception of the clauses which by their nature should continue to remain in full force and effect.
2. Upon termination of this DPA, the Supplier shall promptly (within 15 days of the date of termination of the DPA), at the choice of the Company, delete or return to the Company all copies of Personal Data. 
3. The Supplier will not be required to delete Personal Data that the Supplier is required to retain to comply with applicable legal requirements. The Supplier will in such a case block the Personal Data for further use, ensure the secured storing of such Personal Data including appropriate access controls, and not use such Personal Data for any other purpose than such compliance purposes.

L. Miscellaneous

1. Notwithstanding anything to the contrary in the Agreement, the Company reserves the right to amend or update this DPA to reflect changes in law, policy, operational standards, industry best practices or at its own discretion. The Company shall provide the Supplier with at least fourteen (14) days’ prior written notice of any changes to the DPA. Notice shall be sent according to the Agreement. If the Supplier does not object to such changes in writing within the notice period, the changes shall be deemed accepted and binding as of the effective date specified in the notice or in the absence of such date, after lapse of fourteen (14)-days after the notice. In the event the Supplier objects within the prior notice period, the Parties shall cooperate in good faith to resolve such objection. However, if the Parties are unable to reach an agreement within thirty (30) days after the objection, the Company may, at its sole discretion, with immediate notice, suspend or terminate the Agreement, or any part thereof.
2. If, due to any change in Privacy Laws, the Supplier reasonably determines that it is unable to abide by this DPA or provide the Services in whole or in part (e.g. with respect to a particular jurisdiction) the Supplier notifies the Company immediately in writing. The Company may propose an amendment or supplement issuing an updated DPA in respect to the Supplier by following the process for amendments or updates of this DPA outlined in Clause 12.1.
3. To the maximum extent permitted by applicable law, the parties agree to treat the terms of this DPA as confidential information. 
4. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country of Latvia or as stipulated for this purpose in the Standard Contractual Clauses.

ANNEX I

A. LIST OF PARTIES

As determined in the Agreement.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred: Customers of the Company, or other end users of the Company’s services including website visitors.

Categories of Personal Data transferred: Personal Data relating to the Company’s customers and end users and any Personal Data in printing content (where applicable) and Personal Data revealed during the use of any services of the Company, including name, surname, email address, phone number, and shipping address.

Sensitive data transferred (if applicable) and applied restrictions or safeguards: not applicable.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): the transfers are on a continuous basis.

Nature of the processing: as set out in the Agreement and other Processing set forth in Instructions.

Purpose(s) of the data transfer and further processing: as set out in the Agreement and other Processing set forth in Instructions.

Location(s) of the Processing (City, State/Province, Country): as notified by the Supplier and according to notification of Sub-processors where appropriate.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: for the duration of the Agreement, until deletion following instruction of the Company or as required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: not applicable unless agreed between the Parties and notified to the Company.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: Latvijas Republikas Datu valsts inspekcija (the Data State Inspectorate of Latvia) or according to applicable SSCs. 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

Technical and organizational measures can be met by providing a valid ISO27001 certificate or meeting all measures outlined below individually.

1. Measures of pseudonymisation and encryption of Personal Data
   1. All Personal Data must be encrypted during transit and at rest. 
   2. At rest Personal Data must be encrypted using industry leading versions of AES, Bcrypt or equivalent encryption algorithms.
   3. Personal Data at transit must be encrypted using industry leading versions of TLS, FTPS, SFTP and other leading data encryption algorithms for transmitting Personal Data.
   4. To the extent possible, all Personal Data should be pseudonymised no more than 60 days after the moment Personal Data has been received.
2. Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
   1. All systems processing Personal Data in any way must have a working disaster recovery plan in action for all situations as well as an incident response plan in case of any incidents. These plans must be supplemented with disaster recovery testing activities as well as periodic incident testing activities. 
3. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
   1. Systems storing or modifying Personal Data must be regularly (no less than annually) tested for security vulnerabilities and other system weaknesses that can adversely affect confidentiality, integrity and/or availability of the Personal Data ideally by a third party, but can also be performed by in house resources according to OWASP, OSINT and other testing and auditing frameworks. 
   2. All identified security vulnerabilities or system weaknesses must be recorded and acknowledged within 24-hours. Remediation steps must be planned  and performed based on impact analysis.
   3. After submitting a written request, the Personal Data importer must provide the Personal Data exporter the most recent security testing report. 
4. Measures for user identification and authorisation
   1. Access to Personal Data must be strictly controlled and rights must be granted based on a  “Need to know '' principle, with each user activity that can impact confidentiality, integrity and/or availability strictly monitored. Each such user must use secure authentication practices in order to restrict access. Authentication must include the username, password that meets the newest NIST password guidelines (no older than 3 years) and also contains a secure token or MFA element.
   2. If Personal Data is being accessed remotely (through the internet) then VPN (IPSec tunnel) must be used at all times.
5. Measures for ensuring physical security of locations at which Personal Data are processed
   1. All Personal Data must be stored in a cloud service provider that has a valid ISO27001 certificate or in case of a private data center, rooms must be physically protected by all of the best practices for physical security e.g. Separate server room, 24/7/365 physical guards at the location and video surveillance, each access to the server room must be strictly logged in order to ensure that Personal Data cannot be physically tempered with. 
6. Measures for ensuring events logging
   1. All Personal Data related activities that can impact confidentiality, integrity and/or availability must be strictly logged. Event logs must be periodically analyzed to monitor any confidentiality, integrity and/or availability impacting activity. Event logs themselves must be protected from unauthorized changes. 
7. Measures for ensuring system configuration, including default configuration
   1. All infrastructure processing Personal Data in any way must have a system configuration that has been hardened from security perspective (all nonessential services disabled/uninstalled). These configurations must be managed in a way that will restrict any unauthorized changes to configurations without proper approval process and strict logging of every configuration change.
8. Measures for internal IT and IT security governance and management
   1. Importer implements and maintains a comprehensive written information security program that includes policies and procedures to protect and keep secure information in accordance with good industry practice and as required by applicable law.
   2. Personal Data importers must have the following documents in place: IT security policy, Acceptable use policy, Data classification policy, Disaster recovery plan, Incident response plan, User access policy, Remote access policy, IT risk assessment, Third-party security policy. 
   3. All IT policies, procedures and plans that impact processing of any Personal Data must be reviewed at least annually or just after an IT incident.
9. Measures for ensuring data minimisation
   1. Personal Data processing must be fall under these principles:
      1. adequate – sufficient to properly fulfil your stated purpose;
      2. relevant – has a rational link to that purpose; and
      3. limited to what is necessary – you do not hold more than you need for that purpose.
10. Measures for ensuring data quality
    1. Personal Data  always must be accurate and no multiple versions exist of the same data entry.
11. Measures for ensuring accountability
    1. Data protection policies must be adopted and implemented describing Personal Data processing activities.
    2. Data importers must have a dedicated data protection officer appointed to overwatch Personal Data processing, carry out data protection impact assessments for Personal Data, and report Personal Data breaches to appropriate institutions and data exporters.
    3. Data importers must adopt and maintain written contracts in place with organizations that process Personal Data on data importer behalf.
12. Measures for allowing data portability and ensuring erasure
    1. All Personal Data must be stored in such a way that all Personal Data must be aggregated into a structured and machine readable format. If a request for data portability is approved then Personal Data could be sent outside of the data processor network to the next data processor. In this case Personal Data must be encrypted using industry leading versions of AES, Bcrypt or equivalent encryption algorithms for encryption and transmission must be done using an IPSEC tunnel (VPN).  
    2. All Personal Data must be deleted that is stored in backups after this agreement has been terminated. 
    3. While agreement is still in place Personal Data must be deleted in backups that are older than 60 days.
    4. All Personal Data that is part of order fulfilment data will be anonymized within thirty (30) days after delivery or dispatch (whichever known moment comes later) of the relevant order. The anonymization will include obfuscating the recipients name, surname (at a maximum retaining first and last letters) and fully obfuscating shipping and return address apartment number, street name, house number or name, block number (postal index and city information may be retained) and contact details (such as phone number, email).
    5. All Personal Data must be deleted or returned after this agreement has been terminated.
13. Measures for Sub-processors (where applicable)
    1. All involved Sub-processors must comply with all the same measures as described for importers.