Data Processing Policy

Data Processing Policy

Wizard Labs (Wizard Labs, “we”, “us”, “our” and terms of similar meaning) operates the website hosted at the wizardlabs.cloud domain and all associated subdomains (the “Website”), as well as the services provided by the Website (the “Service”) in compliance with these terms and conditions of use.

Before you install our app on your store, you must read, understand and agree the terms stated here, and by using the Service you become legally bound by them.

The Service is an online invoicing software for Shopify stores. It is a mobile-compatible web application that allows the design and creation of invoices, packing slips, credit notes, and other document types. The Service is based on the SaaS (software as a service) model and requires a subscription.

Roles of the Parties

This policy shall apply where Merchant acts as a controller and Wizard Labs as a processor, or where Merchant acts as a processor and Wizard Labs as a sub-processor. All parties agree to keep every data and Confidential information private and secure from any third party.

Compliance with Data Protection Policies

Both parties will comply with all relevant data protection laws, regulations, and guidelines, including the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018, the Privacy and Electronic Communications Directive, and the Swedish Data Act. These laws and regulations are designed to protect the privacy and personal data of individuals and are subject to change over time.

Processing Personal Data

Annex a specifies the extent, nature, and objective of the processing carried out by Wizard Labs, the duration of the processing, and the types of personal data and categories of the data subjects involved.

• Merchant has appointed Wizard Labs to process personal data on its behalf, and in accordance with Merchant's documented instructions, as well as any additional necessary steps to provide the Services or as agreed upon in writing by both parties. The initial scope of these instructions is defined by the Agreement. If Wizard Labs believes that an instruction from Merchant violates Data Protection Legislation or if Wizard Labs becomes aware that it is unable to process personal data in accordance with Merchant's instructions due to a legal requirement, Wizard Labs will promptly inform Merchant, and if necessary, stop all processing (excluding storing and maintaining security of the affected personal data) until new instructions are given. If this provision is invoked, Wizard Labs will not be liable to Merchant under the Agreement for any failure to perform the applicable Service until new lawful instructions are given regarding the processing
• Merchant will ensure that he is responsible for complying with all requirements that apply, under applicable Data Protection Laws with respect to the Processing of Personal Data and the Instructions it issues to Wizard Labs. In particular but without prejudice to the foregoing, the Merchant warrant that he/she will be solely responsible for the quality, accuracy, and legality of Merchant Data and the means by which it was acquired by the Merchant; complying with all necessary lawfulness and transparency requirements under applicable Data Protection Laws for each collection and use of the Personal Data, including obtaining any necessary consents and authorizations; ensuring you as the Merchant have the necessary right to transfer, or provide access to, Wizard Labs for accessing and Processing of such data ensuring that all Instructions regarding the processing of Personal Data comply with applicable laws, including Data Protection Laws; and complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Service, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Merchant will inform Wizard Labs without undue delay if Merchant is not able to comply with Merchant’s responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.
• Wizard Labs agrees that it will act as a "Service Provider". Merchant provides personal data to Wizard Labs solely for the purpose of providing the services, and for no other reason. Wizard Labs is prohibited from selling Merchant's personal data, using or disclosing it for any purpose other than providing the Services, using or disclosing it outside of the direct business relationship between Wizard Labs and Merchant, or combining it with personal data obtained from other sources. Wizard Labs certifies that it understands and will comply with these prohibitions. Merchant understands and agrees that Wizard Labs may use sub-processors to provide the Services and process personal data on Merchant's behalf in accordance with this policy. The parties agree that any payment made by Merchant to Wizard Labs is for the provision of the Services and not for the personal data.

Security

• Wizard Labs will put in place necessary technical and organizational measures to ensure the safe processing of the Merchant's personal data, which will at least meet the standards outlined in Annex B
• Wizard Labs will, within the limits of the law, notify the Merchant promptly upon any accidental or illegal destruction, loss, alteration, or unauthorized sharing or access to processed personal data.
• Wizard Labs will guarantee that all employees who handle (or have access to) personal data have pledged to keep the data confidential in line with Wizard Labs's confidentiality responsibilities specified in the Agreement.

Assistance

Wizard Labs will use reasonable efforts to provide the Merchant with the necessary tools and resources to manage and protect personal data, at the Merchant's expense. These tools include the ability for the Merchant to correct, retrieve, delete or restrict their personal data. If the Merchant is unable to handle a request from a data subject through these tools, they have the option to request additional assistance from Wizard Labs. Upon termination of the agreement, Wizard Labs will delete or return personal data to the Merchant unless required by law or if it has been archived on backup systems. If no written direction is provided by the Merchant, the personal data will be deleted according to the terms of the agreement.

If an individual contacts Wizard Labs directly with a request or concern related to the processing of personal data under the agreement, Wizard Labs will notify the Merchant and direct the individual to submit their request to the Merchant. The Merchant will be responsible for handling and responding to any requests or communications related to personal data.

Audit

Both parties agree that the Merchant has the right to evaluate Wizard Labs's adherence to its obligations under data protection laws, when Wizard Labs is processing data on behalf of the Merchant. The Merchant agrees that the audits described in the agreement meet their audit requirements. The Merchant will exercise their right to conduct inspections or audits by giving written notice to Wizard Labs to proceed with the audits outlined in the agreement (including as per the Standard Contractual Clauses if applicable).

Merchant has the right to conduct an audit of Wizard Labs's compliance with Article 28 of the GDPR. The audit must be scheduled with at least 30 days written notice to Wizard Labs, and can only be done once per year. Wizard Labs shall provide all necessary information to demonstrate compliance, including summaries of its information security and privacy policies, and will promptly cooperate and respond to Merchant's reasonable privacy and security questionnaires. If the request for audit occurs during a time when it would be disruptive to Wizard Labs's business, the parties can mutually agree on an extension. Prior to the audit, the Merchant will have to sign a confidentiality agreement that is reasonably satisfactory to Wizard Labs. The Merchant will bear their own costs and expenses for the audit, and both parties will make efforts to minimize disruption to Wizard Labs's business activities.

Sub-Processors

The Merchant grants general written permission for Wizard Labs to engage sub-processors, including Wizard Labs's affiliates and third-party sub-processors (which may include other affiliates) as outlined in the Privacy policy. For the purpose of this policy, "Affiliate" means an entity that controls, is controlled by, or is under the same control as a party, in which an entity will be deemed to have control if it owns more than 50% of another entity. Wizard Labs and its affiliates may engage such sub-processors to process personal data, as long as they have entered into a written agreement with the third-party processor that requires them to protect the personal data to the same standards outlined in this policy.

If Wizard Labs or its affiliates appoint a new or remove an existing sub-processor, they will update the list on the Privacy Center. The Merchant can choose to receive alerts for such updates via the mechanism provided in the Privacy Center. If the Merchant has chosen to receive alerts, Wizard Labs will send an email notification to the email address provided by the Merchant on the Privacy Center. The Merchant can object to the appointment or replacement of a sub-processor, as long as they notify Wizard Labs in writing within 30 days of receiving the notification. If the Merchant does not object within this period, the new sub-processor will be considered accepted. If the Merchant objects and Wizard Labs can't reasonably accommodate the objection, the Merchant can terminate the affected service(s) by giving written notice to Wizard Labs. Any rights and obligations that have already been acquired will survive such termination.

If the Standard Contractual Clauses are applicable, both parties agree to the general written authorization outlined in section (a) of the Standard Contractual Clauses (Module Two). The Merchant acknowledges and agrees that they will be informed of any intended changes to the list of sub-processors and have the right to object in the manner described in this policy, as outlined in section (a) of the Standard Contractual Clauses (Module Two).

Wizard Labs is still accountable for any actions or inactions of its sub-processors to the same extent as if it was performing the services of each sub-processor directly under the terms of this policy.

Both parties agree that the copies of the sub-processor agreements that Wizard Labs provides to the Merchant for the Standard Contractual Clauses (Module Two) may have any commercial or non-relevant information removed by Wizard Labs. Wizard Labs will provide these copies in a manner it sees fit, when requested by the Merchant.

The Merchant acknowledges and agrees that Wizard Labs may use telecommunications providers as part of providing the Service. The Merchant also acknowledges that in order to send communications for the Service, Wizard Labs may have to transmit the Merchant's communications through existing telecommunications networks and suppliers, which may be companies that are required to comply with telecommunications and privacy laws, but may not have direct contracts with Wizard Labs or the Merchant. The Merchant also acknowledges that Wizard Labs may use payment gateways in providing the Service through companies that are required to comply with data protection laws, but may not have direct contracts with Wizard Labs. The Merchant authorizes Wizard Labs to transmit communications through existing telecommunications networks and use payment gateways as needed to provide the Service, and acknowledges and agrees that telecommunications networks and payment gateways suppliers are not considered sub-processors under the Agreement.

When the Merchant reports potential issues with the quality of the Service, the Merchant authorizes Wizard Labs to work with its relevant suppliers to diagnose and resolve the reported issues, including by providing them with access to necessary data, such as recordings and logs, which may contain personal data.

Transfers of Personal Data

Wizard Labs is obligated to comply with all relevant regulations for cross-border transfers of personal data under Data Protection Legislation.

If Wizard Labs processes any personal data that originates from the European Economic Area (EEA) or a country that has not been deemed by the European Commission to provide an adequate level of protection for personal data, the parties will enter into the Standard Contractual Clauses for the transfer of personal data to third countries as outlined in the Annex to Commission Decision (EU) 2021/914 adopted on June 4, 2021. These clauses are incorporated into and form part of this policy.

The parties agree that the data processing details outlined in Annex A of this policy will apply for the purposes of Annex 1 of the Standard Contractual Clauses, and the technical and organizational security measures outlined in Annex B of this policy will apply for the purpose of Annex 2 to the Standard Contractual Clauses. Wizard Labs is considered the "data importer" and the Merchant the "data exporter" under the Standard Contractual Clauses, and both parties will comply with their respective obligations under the Standard Contractual Clauses. The Merchant authorizes Wizard Labs to execute the Standard Contractual Clauses (Module 3) with any relevant sub-processors (including Wizard Labs Affiliates). Unless Wizard Labs notifies the Merchant otherwise, if the European Commission subsequently amends the Standard Contractual Clauses at a later date, those amendments will supersede and replace any Standard Contractual Clauses executed between the parties. Annex C applies to the use of the Standard Contractual Clauses.

If Wizard Labs processes any personal data that originates from a country that has not been deemed by the government to provide an adequate level of protection for personal data, and the parties have implemented a validation mechanism for such transfers, the parties agree that this mechanism will continue to apply to such transfers. Unless the Merchant notifies Wizard Labs otherwise, if the government later recognizes the new Standard Contractual Clauses as a valid data transfer mechanism, they will supersede and replace the existing mechanism. The Annexes of this policy replace any previous data processing agreements signed between the Merchant and Wizard Labs, except where such would represent a conflict with this section.

The parties agree that the data export solution identified in this policy will not apply if the Merchant chooses to adopt an alternative data export solution that is legally recognized under Data Protection Legislation. In this case, the Merchant will cooperate with Wizard Labs to find a solution, and this alternative data export solution will apply instead, but only to the extent that it covers the territories to which personal data is transferred under this policy.

Other

Words following the terms "including" and similar expressions, such as "for example," do not limit the meaning of the words that come before them.

This policy replaces and supersedes any previous data processing policies, attachments, or exhibits, including privacy policies, between the parties, except as provided for in this DPA, if applicable. Any addenda, attachments, or exhibits related to security will still be in effect and supplement the security measures outlined in Annex B. If there is a conflict between Annex B and any other agreement the Merchant has with Wizard Labs regarding information security, including administrative, physical, or technical safeguards for protecting data, the provisions that provide more protection for the data will take precedence.

Liability

Even though this policy may state otherwise, the liability of each party and each party's Affiliates under this policy will be subject to the exclusions and limitations of liability outlined in the Agreement. If there is no such provision in the Agreement, neither party will be liable for any damage which exceeds the total amount paid or payable to Wizard Labs under the Agreement during the 12-month period before the initial claim, and neither party will have any liability to the other party for any loss of profits or revenues, loss of goodwill, loss or corruption of data or for any indirect, special, incidental, consequential or punitive damages arising out of, or in connection with the Agreement or this policy.

Governing Law and Jurisdiction

This policy will be governed by and interpreted in accordance with the provisions of governing law and jurisdiction in the terms of service, unless required otherwise by applicable Data Protection Legislation.

Termination of policy

This policy will end automatically when the app is uninstalled.

This policy becomes a binding part of the Agreement from the Effective Date of the policy.

ANNEX A - PERSONAL DATA PROCESSING PURPOSES AND DETAILS

LIST OF PARTIES

Data exporter(s): Role (controller/processor): Controller

The contact person for data protection matters, position and contact details of the data protection officer and/or representative in the European Union (if different) should be provided by the data exporter via email to [email protected] after the Agreement has been signed.

The activities relevant to the data transferred under these Standard Contractual Clauses (SCCs) include services provided by the data importer to the data exporter that involve the transfer of personal data as outlined in the Agreement.

Data importer(s): Contact details for data protection matters: [email protected]

The activities relevant to the data transfer include the services provided by the data importer to the data exporter that involve the transfer of personal data as outlined in the Agreement.

DESCRIPTION OF TRANSFER

Groups of individuals whose personal information is being shared.

A merchant may provide personal information to Wizard Labs in order for the latter to provide its services. The merchant has complete control over the extent of personal data shared and this can include, but is not limited to, personal information related to certain groups of people. These are:

• Merchants, business partners, and (who are natural persons)
• Employees or contact persons (both of whom are natural persons) of Merchant, business partners, and vendors
• Merchant’s end users (i.e., customers, respondents, visitors).
• Employees, agents, advisors, contractors, or any user authorized by Merchant to use the Services (who are natural persons)

Categories of personal data transferred

A merchant may provide personal information to Wizard Labs in order for the latter to provide its services. The merchant has complete control over the extent of personal data shared and this can include (depending on the type of services being provided).

The merchant may upload, submit or provide certain personal data to the service, the extent of which is determined and controlled by the merchant, and may include the following types of personal data.

• Merchants: Personal information such as identification and contact details (name, address, job title, contact information, username), financial information (banking details, payment information), employment information (employer, job title, location, areas of responsibility).
• Contacts: Personal information such as identification and contact details (name, gender, occupation or other demographic information, address, title, contact information including email, phone number, and profile photo), personal interests or preferences, IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data).
• Project content: Data submitted by customers through the service in the form of text, images, video and audio files, or other data files. The extent of data is typically determined by the project type (segmentation, consumer habits and opinions, user preferences, market segmentation, and other data).

If applicable, sensitive data will be transferred with strict restrictions and safeguards in place to fully consider the nature of the data and potential risks, such as specific limitations on its use, restricted access for staff who have received specialized training, keeping records of access to the data, limitations on further sharing or additional security measures.

Sensitive data may be transferred by the Merchant to Wizard Labs only when necessary for providing the services outlined in the agreement.

The measures in place to protect this data are detailed in Annex B. The data transfer will happen continuously.

Nature of the Processing

Wizard Labs will process personal data as required to fulfill the Services outlined in the Agreement, according to instructions provided by the Merchant (as stated in this policy) when using the Services.

Purpose of data transfer and further processing:

Wizard Labs will process personal data for the purposes necessary to perform the Services outlined in the Agreement, according to instructions provided by the Merchant (as stated in this policy) when using the Services.

Retention period of personal data or criteria used to determine that period:

Personal data will be retained as long as required for the provision of Services by Wizard Labs under the Agreement.

Transfers to (sub-) processors, including subject matter, nature, and duration of processing:

Subject matter and nature of processing will be done for the duration required for the data importer to provide the Services to the data exporter.

ANNEX B - TECHNICAL MEASURES

This Annex II outlines the security measures that Wizard Labs will implement in relation to the personal data provided by the Merchant to Wizard Labs to allow it to provide the services under the Agreement.

- Measures of encryption

Wizard Labs encrypts personal data of the Merchant while it is being transmitted over internal networks and when it is sent to and received from Wizard Labs's Applications.

- Measures for ensuring ongoing confidentiality, integrity, availability, and resilience

Wizard Labs has documented plans for business continuity and disaster recovery to ensure that operations can quickly resume with minimal interruption in case of an unexpected event that could significantly affect the personal data of the Merchant or Wizard Labs's ability to provide products and services under the Agreement.

- Measures for ensuring the ability to restore the availability

Wizard Labs performs regular data replication and backup as necessary to prevent data loss and ensure service recovery for the Merchant.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.

Wizard Labs uses various tools to continuously monitor and track security vulnerabilities, identify, report, and address network vulnerabilities. As part of ongoing information security activities, security vulnerabilities are prioritized and assigned appropriate remediation processes based on the type of vulnerability, its severity, and potential impact.

Wizard Labs frequently conducts penetration testing on its networks, infrastructure and products, including identifying security vulnerabilities. The company further leverages automated penetration testing tools for a comprehensive view of existing vulnerabilities and attack vectors to reduce the risk of cyber attacks.

- Measures for user authorization

Wizard Labs controls, monitors and protects user's access credentials and secrets using industry-standard tools, including its own security products. The company also secures physical access to the equipment used for storing personal data of Merchant by using industry-standard processes to limit access to authorized personnel.

Wizard Labs's policies for internal access to personal data of Merchant are based on least privilege and need-to-know principle, according to individual roles and responsibilities. The company maintains methods and procedures to prevent unauthorized access to the Merchant's personal data and the systems that host it. It uses appropriate authentication methods to control access to the network applications and systems that contain personal data of Merchant (which may include Virtual Private Network (VPN) and Multi-Factor Authentication (MFA) and more).

- Measures for data protection during transmission

Wizard Labs encrypts all personal data of the Merchant while it is being transmitted over internal or external networks and when it is sent to and received from Wizard Labs.

- Measures for data protection during storage

Where feasible in relation to the services provided to the Merchant, Wizard Labs encrypts personal data of the Merchant while it is stored in its systems.

- Measures for ensuring the physical security of locations

Wizard Labs implements security measures at its office and facilities that host servers containing sensitive or critical information, including personal data of the Merchant, and only allows authorized personnel access to these facilities.

- Measures for ensuring events logging

We have established processes and policies to ensure that incidents are properly handled and recorded.

- Measures for ensuring system configuration

Wizard Labs creates, documents and maintains current configurations of systems under control, and reviews these configurations at least annually. Default configurations of technical controls are removed before the system is operational.

- Measures for internal IT security governance

Wizard Labs has established policies and procedures to ensure that roles and responsibilities related to managing and monitoring security requirements and procedures are clearly defined.

- Measures for certification of processes and products

Wizard Labs currently adopts leading software development practices to develop its application.

- Measures for ensuring data minimization

All of Wizard Labs's employees are required to complete initial and ongoing training on information security and GDPR compliance, including specific modules on data minimization.

Wizard Labs's Internal Privacy Policy also includes guidance for employees to ensure that the data they handle is limited in scope and duration to what is necessary for the purpose of the processing.

Wizard Labs processes the data provided by Merchants, the extent of which is determined and controlled by the Merchant alone.

- Measures for ensuring data quality

Wizard Labs processes the data provided by Merchants through the Shopify API. Wizard Labs is not responsible for the accuracy of the provided data.

The quality of the data generated by Wizard Labs's products is ensured through the implementation of secure development practices.

- Measures for ensuring data retention

Wizard Labs retains merchant information only for the period specified in the Agreement or documentation, except when a longer retention period is required by law or regulations.

Wizard Labs securely disposes of personal data of merchant in accordance with the Agreement and applicable laws, ensuring that the data cannot be read or reconstructed.

- Measures for ensuring accountability

Wizard Labs's information security framework includes practices and procedures like managing assets, managing access, physical security, people security, network security, security of third-parties, security of products, vulnerability management, security monitoring and incident response. The information security policies and standards have been approved by management and are accessible to all Wizard Labs employees.

ANNEX C - ADDITIONAL SAFEGUARDS

This Annex is supplementary to, and should be read together with, the Standard Contractual Clauses. Any references to the 'Clauses' in this Annex should be understood as references to the Standard Contractual Clauses.

The data importer must reasonably aid the data exporter in evaluating the suitability of protection for personal data in compliance with the requirements of the applicable data protection laws.

When receiving any legally binding order or request for disclosure of personal data by a law enforcement agency or other competent government authority, the data importer will comply.

Updated at: July 2024