Data Processing Addendum (DPA) Service

Date of Last Revision: January 1, 2025

Data Privacy

Subject Matter, Nature, and Purpose of Processing

BigCommerce: To provide and improve the Services under the Terms of Service, Master Services Agreement, and any other terms that this Addendum is incorporated into, to provide any related support to the customer, as otherwise permitted under Data Protection Law, or as initiated by the Controller from time to time.



Feedonomics: To provide and improve the Services under the Terms of Service, Master Services Agreement, and any other terms that this Addendum is incorporated into, to provide any related support to the customer, as otherwise permitted under Data Protection Law, or as initiated by the Controller from time to time.



Duration and Frequency of Transfer

BigCommerce and Feedonomics: Coterminous with the Agreement; ongoing transfer

Type of Personal Data to be Processed

BigCommerce: Account Information, Browser Information, Contact Information, Device Information, Payment Information, Security Information, Support Information, Transaction Information



Feedonomics: Account Information, Contact Information, Support Information, Transaction Information



Categories of Data Subjects

BigCommerce and Feedonomics: Customers of Customer

This Data Processing Addendum, including its Schedules and Exhibits (collectively the “DPA”) forms part of the Master Services Agreement, Terms of Service, or other written or electronic agreement (“Agreement”) between a BC Entity and Customer (collectively the “Parties”) for the purchase of online services identified in the Agreement from a BC Entity (hereinafter defined as “Service(s)”). This DPA applies when a BC Entity acts as a Processor on behalf of the Customer for the provisions of the Services. Capitalized terms that are not defined in this DPA have the meanings ascribed to them in the Agreement or under Data Protection Laws. In the event of any conflict between the provisions of the Agreement and this DPA, the provisions of this DPA will prevail. This DPA reflects the Parties’ agreement with regard to the Processing of Personal Data. In the course of providing the Services to Customer pursuant to the Agreement, a BC Entity Processes Personal Data on behalf of the Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.



OPERATION OF THIS DPA

This DPA consists of the main body of the DPA which is applicable to all BC Entity Processing, Exhibit A (Security Procedures) which is applicable to all BC Entity Processing, Exhibit B (BigCommerce Specific Data Processing Terms) which applies only to BigCommerce Processing, Exhibit C (Feedonomics Specific Data Processing Terms) which applies only to Feedonomics Processing, and Schedules 1 (BigCommerce Specific Security Procedures) which applies only to BigCommerce Processing.



HOW THIS DPA APPLIES

If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such a case, the BC Entity that is party to the Agreement is party to this DPA.



If the Customer entity signing this DPA has executed an Order Form with a BC Entity pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Form(s), and the BC Entity that is party to such Order Form is party to this DPA. If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding.

  1. Definitions.
    1. “BC Entity” means a BigCommerce entity which is party to this DPA, as specified in the section “HOW THIS DPA APPLIES” located above, BigCommerce, Inc., a Texas corporation in the United States; BigCommerce UK Ltd., a United Kingdom limited company, BigCommerce Software Ireland Ltd., an Irish limited company, BigCommerce Pty. Ltd., an Australia proprietary limited company, and Feedonomics Holdings. LLC, a Delaware corporation in the United States.
    2. “BigCommerce” means the following legal entities BigCommerce, Inc., a Texas corporation in the United States; BigCommerce UK Ltd., a United Kingdom limited company, BigCommerce Software Ireland Ltd., an Irish limited company, BigCommerce Pty. Ltd., an Australia proprietary limited company.
    3. “Feedonomics” means the following legal entities- Feedonomics Holdings. LLC, a Delaware corporation in the United States.
    4. “Data Protection Laws” means any data protection legislation or regulation applicable to the Processing of Personal Data by a BC Entity under the Agreement, including, as applicable: (i) the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); (ii) the General Data Protection Regulation as it forms part of UK domestic law by virtue of the UK Data Protection Act 2018 and Section 3 of the European Union (Withdrawal) Act 2018 and subsequent amendments (“UK GDPR”); and (iii) the California Consumer Privacy Act of 2018, as amended or modified, including as amended by the California Privacy Rights Act of 2020 (“CCPA”). Unless otherwise stated, “GDPR” means both the EU GDPR and UK GDPR. Notwithstanding the foregoing, “Data Protection Laws” shall not include any laws or regulations that require the localisation of Personal Data.
    5. “Personal Data” means any information relating to an identifiable or identified Data Subject or Customer of a Customer who visits or engages in transactions with a BC Entity Service where (i) a BC Entity Processes such data as a Processor while providing Customer with the Services under the Agreement , and (ii) would be considered personal information or personal data as such terms/concepts are defined by applicable Data Protection Laws; provided, however, that Personal Data excludes any such information that has been aggregated or anonymized in a manner that is not (1) identifiable as having originated from the Data Subject, or (2) capable of allowing a recipient to infer the Data Subject’s information.
    6. “Sell”, “Share”, “Controller”, “Data Subject”, “Consumer”, “Processor”, “Subprocessor”, “Service Provider” and “Processing” have the meanings ascribed to them in applicable Data Protection Laws and their cognate terms will be construed accordingly.
    7. “Subprocessor” means an entity appointed by a BC Entity to Process Personal Data on behalf of Customer in connection with the Agreement and excludes the following: (i) third-party apps in a BC Entities app marketplace; and (ii) third-party contributions, features, functionality, consulting or other third-party services elected by Customer.
  2. Roles and Processing. A BC entity shall act as Processor and Process the Personal Data only to provide the Services, on Customer’s documented instructions, or as consistent with the Agreement or any underlying Agreement. Customer shall act as Controller and shall comply with all applicable laws, including Data Protection Laws, in providing Personal Data to a BC Entity and further represents and warrants that all Personal Data will be collected and used by or on behalf of Customer in compliance with such laws, including with respect to any applicable obligations to provide notice to and/or obtain consent from individuals.
  3. Subprocessing.
    1. BC Entities may use Subprocessors to Process the Personal Data in compliance with Data Protection Laws. For the avoidance of doubt under this Agreement, the definition of Subprocessors excludes the following which Customer may utilize in the course of the Agreement: (i) third-party apps in the applicable BC Entity marketplace; and (ii) third party contributions, features, functionality, consulting or other third-party services elected by Customer and that are not directly related to a BC Entity's performance under this DPA.
      1. BigCommerce’s current Subprocessors are set forth at https://www.bigcommerce.com/privacy/data-processors/, or its successor page.
      2. Feedonomics Subprocessors, may be found at the following link: https://feedonomics.com/third-party-sub-processors/, or its successor page.
    2. Additions; Replacement. This DPA is Customer’s general written authorization for a BC Entity to engage Subprocessors; provided, however, that the BC Entity will inform Customer through Customer’s primary contact or by posting on Customer’s control panel any intended changes concerning the addition or replacement of Subprocessors. If, within 14 days of receiving such notice, Customer does not provide written notice to the BC Entity of any reasonable objections that detail why the proposed Subprocessor would not adequately support Customer’s obligations under the Data Protection Laws, Customer will be deemed to have consented to the proposed engagement. If the Parties are not able to resolve a reasonable objection and the BC Entity continues to appoint such Subprocessor, then Customer will be entitled to terminate any Agreements with respect to the Processing of Personal Data under the Data Protection Laws by the new Subprocessor without any liability as a result of such termination (such termination, a “Subprocessor Objection Termination”). For the avoidance of doubt, the BC Entity shall have no liability for a Subprocessor Objection Termination and such Subprocessor Objection Termination shall not constitute a termination for breach.
    3. Liability. A BC Entity shall conduct security, privacy, and transfer assessments of all Subprocessors prior to onboarding and will enter into written agreements with any Subprocessor requiring the Subprocessor to provide a substantially similar level of data protection and information security as provided by this DPA and required by Data Protection Laws. A BC Entity will remain liable for any Subprocessor’s compliance with its obligations and for any acts or omissions of a Subprocessor that cause a Subprocessor to fail to fulfill such obligations or that cause a BC Entity to breach any of its material obligations under this DPA.
  4. Confidentiality. A BC Entity will treat all Personal Data that it Processes as confidential and will inform its employees, agents and/or approved Subprocessors engaged in Processing Customer Personal Data of the confidential nature of the Personal Data. A BC Entity will make commercially reasonable efforts to ensure that these persons or entities have signed an appropriate confidentiality or data protection agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
  5. Security. A BC Entity will implement the measures set forth in Exhibit A and not less than appropriate technical and organizational measures to protect the security of the Processing of Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
  6. Data Subject Requests. To the extent possible and taking into account the nature of the Processing, the BC Entity will make commercially reasonable efforts to assist Customer by providing functionality or taking appropriate measures to help fulfill Customer’s obligation to respond to Data Subject requests under applicable Data Protection Laws.
  7. Notifications. If a BC Entity is otherwise required to comply with a legal obligation, a BC Entity will make commercially reasonable efforts to inform Customer of that legal obligation, unless the BC Entity is prohibited from doing so. A BC Entity will inform Customer if, to its knowledge, an instruction from Customer would infringe Data Protection Laws.
  8. Incident Management. If a BC Entity becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by a BC Entity under this DPA while providing the Services (a “Security Incident”), it will, in accordance with Exhibit A notify Customer and provide Customer a description of the Security Incident as well as periodic updates to information about the Security Incident. In accordance with Exhibit A, the BC Entity will investigate the Security Incident and take reasonable steps to prevent or mitigate the effects of a Security Incident caused by a material breach of a BC Entity’s obligations under this DPA.
  9. Data Processing Limitations. Except as specifically provided in writing otherwise, the Services are not intended to store, use, or otherwise Process any type of Personal Data that may be considered “sensitive data” or “special categories of personal data” under Data Protection Laws, or that otherwise would reasonably be considered sensitive in nature (collectively, “Sensitive Data”). For example, the Services are not intended to Process Personal Data including but not limited to protected health information (“PHI”), as defined by the Health Insurance Portability and Accountability Act of 1996 and its enabling regulations and related laws (“HIPAA”). Customer represents and warrants that it will not provide a BC Entity or allow a BC Entity to Process Sensitive Data on Customer’s behalf through use of the Services. For the avoidance of doubt, nothing in this section prohibits or limits the ability of the Customer to Process payment information under a BigCommerce product.
  10. CCPA Compliance. If a BC Entity Processes Personal Data of California residents, the BC Entity shall comply with the CCPA. Specifically, the BC Entity agrees that:
    1. A BC Entity acts solely as a Service Provider in relation to Personal Data and, in accordance with the provisions of this DPA, Customer alone determines the purposes and means of the Processing of Personal Data (“Service Provider” shall have the same meaning ascribed in the CCPA).
    2. The BC Entity will not Sell or Share Personal Data of California residents, and the Parties acknowledge and agree that Customer does not Sell or Share Personal Data to the BC Entity in connection with the Services (“Sell” and “Share” shall have the meaning ascribed to in the CCPA). Further, as set forth elsewhere in this DPA, the BC Entity will not retain, use, Share, or disclose Customer Personal Data (1) for any purpose other than performing or supporting the Services, or (2) outside of the direct business relationship between the Parties except as authorized through the Agreement. When utilizing Subprocessors to perform or support the Services, the BC Entity will comply with the provisions of Section 3 of this DPA.
    3. For the purposes of data security under the CCPA, a BC Entity shall comply with the applicable requirements and restrictions set forth in the Agreement and this DPA, including Exhibit A.
  11. Termination. Upon termination of the Services or expiration of the Term and subject to the law, a BC Entity will promptly delete or anonymize Personal Data. If Customer requests a copy of such Personal Data prior to deletion, the BC Entity will make a copy of such Personal Data reasonably available to Customer.
  12. Updates. Subject to compliance with Data Protection Laws, a BC Entity may update this DPA, including as necessary to account for changes in circumstances, Data Protection Laws, international data transfer mechanisms, and BC Entity products, features, or functionality. When this DPA is updated a BC Entity shall provide notice (email to suffice) to the customer. If within thirty (30) days of receiving the update, Customer does not provide written notice to the BC Entity of any reasonable objections that detail why the proposed change would not adequately support Customer’s obligations under the Data Protection Laws, Customer will be deemed to have consented to the proposed update.

Exhibit A

Security Procedures

  1. Security Controls. A BC Entity will maintain security measures appropriate to the nature of the Personal Data including the following.
    1. Generally. A BC Entity will maintain an information security management system, maintain automated tools to identify attempts to exfiltrate data, use certificate-based security, and develop and maintain secure key management policies and procedures. A BC Entity will monitor, log, audit, and escalate threats after applicable risk assessments have been performed. A BC Entity will manage the secure lifecycle of systems and software.
    2. Boundary Defense and Security Segmentation. A BC Entity will monitor, detect, and restrict the flow of information on a multilayered basis. A BC Entity will design and implement multilayered and secure network and system segmentation.
    3. Physical Security. A BC Entity will maintain an access control system that enables the BC Entity to monitor and control physical access to the BC Entities facilities.
    4. Personnel. Where applicable to the Processing, a BC Entity will (a) subject to applicable law, perform or require background screening, (b) provide or require security training, and (c) require appropriate confidentiality and security obligations.
  2. Verification of Security Controls.
    1. Penetration Testing. A BC Entity will conduct periodic penetration tests of BC Entity systems.
    2. Deficiencies. A BC Entity will at its own expense promptly cure deficiencies identified in any audit or vulnerability scan with a CVSS score of 4.0 or greater or that materially and adversely affects Customer Personal Data.
  3. Security Incidents.
    1. Notification. Upon a BC Entity's discovery of a Security Incident and unless prohibited by applicable law, BigCommerce will notify Customer no later than 72 hours following its confirmation of a Security Incident, and provide the following information:
      1. a summary of the Security Incident,
      2. an expected resolution time (if known), except that if the resolution path is unknown at the time of notification, a BC Entity will advise Customer that the path is unknown, and
      3. a means to obtain continued incident updates, if applicable.
    2. Security Incident Procedures. In the event of a Security Incident caused by a material breach of a BC Entity’s obligations under this DPA, a BC Entity will, subject to the liability limits of the Agreement, (a) reasonably cooperate with any investigation concerning the Security Incident by Customer, regulators, or law enforcement, and (b) reasonably cooperate with Customer to comply with applicable law concerning such Security Incident, including any notification to affected data subjects. For the avoidance of doubt, a BC Entity shall not be liable for any Security Incident caused by Customer or by any third-party integrations or services elected by Customer.
    3. Customer Reporting. Customer may report Security Incidents to affected persons and/or any governmental authority or agency having supervisory or oversight authority over Customer or Security Incidents.
    4. Corrective Measures. a BC Entity will undertake a procedural review and audit to determine measures to avoid occurrence of a similar situation, notify Customer of the corrective measures undertaken, and take additional measures reasonably deemed appropriate by a BC Entity.

Schedule 1

BigCommerce Specific Security Procedures

This schedule provides supplemental Security Procedures specific to BigCommerce Services and is incorporated into Exhibit A when such Services are applicable under the Agreement.

  1. Security Controls.
    1. Information Security management Systems (“ISMS”). BigCommerce operates a comprehensive ISMS. BigCommerce’s ISMS is audited and certified annually by an independent third-party to meet or exceed ISO/IEC 27001 technical standards. BigCommerce will use commercially reasonable efforts to maintain such certification during the Agreement, as well as controls consistent with or substantially similar to the following technical and organizational measures:
      1. Encryption. Where applicable, BigCommerce encrypts Personal Data by default in-transit and at-rest.
      2. Minimization. BigCommerce minimizes Personal Data on its platform by design, including through anonymization, pseudonymization, and de identification where practicable.
      3. Cybersecurity. Where applicable, BigCommerce infrastructure includes perimeter and host-based firewalls, file integrity monitoring, access control monitoring, intrusion detection, and application firewalls.
      4. Integrity and Stability. BigCommerce infrastructure is logically segmented and replicated throughout multiple availability zones. Each store on the platform is protected by multiple layers of security and access control, including cloud security posture management and global cloud network protection.
      5. Testing. BigCommerce conducts frequent vulnerability scans and engages third-party providers to conduct substantive vulnerability assessments.
      6. Governance. As matter of policy and practice, BigCommerce takes organizational measures to promote:
        1. commercially reasonable internal IT and IT security governance, management, and training;
        2. commercially reasonable business continuity planning and management;
        3. commercially reasonable ability to restore availability and access in the event of an incident;
        4. regular testing, assessment and evaluation of the effectiveness of BigCommerce’s organizational measures;
        5. commercially reasonable user identification, authorization, and access control;
        6. commercially reasonable secure system configuration;
        7. assessment of Subprocessors in accordance with BigCommerce’s ISMS and obligations as a Processor, including with regard to security, privacy, and transfer impact;
        8. data deletion, where applicable, in accordance with BigCommerce’s contractual obligations, internal policies, obligations as a Processor, and Data Protection Laws; and
        9. re-evaluation of technical and organizational measures in light of relevant changes.
  2. Verification of Security Controls.
    1. On an annual basis, BigCommerce will, at its sole cost and expense, retain an independent, appropriately-qualified auditor to undertake an assessment of and prepare a report of BigCommerce’s, information security controls related to BigCommerce’s ISMS.
    2. On an annual basis, BigCommerce will conduct a PCI-DSS audit and make the summary Attestation of Compliance available.

Exhibit B

BigCommerce Specific Data Processing Terms

This Exhibit supplements the Data Processing Terms in the Data Processing Addendum for BigCommerce Services as applicable under Data Protection Laws.

  1. Data Transfer. BigCommerce may transfer, process and store Personal Data in regions in which BigCommerce or its Subprocessors operate, subject to compliance with Data Protection Laws.
    1. BigCommerce is a participant in the EU-U.S. Data Privacy Frameworks as well as in the UK and Swiss Extension to the EU-U.S. Data Privacy Framework. To the extent such frameworks, or any successor frameworks, are deemed adequate as valid data transfer mechanisms under applicable Data Protection Laws, the Parties may utilize such frameworks to transfer Personal Data to a third country. BigCommerce will notify Customer if it can no longer meet its obligation to provide the level of protection required by the Data Privacy Framework principles.
    2. If and to the extent that any Processing of Personal Data subject to the EU GDPR by BigCommerce takes place in any country outside the EEA whose laws do not provide an adequate level of data protection and an independently valid data transfer mechanism does not exist, or either Party relies on a transfer mechanism that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then:
      1. the Standard Contractual Clauses approved by the European Commission on 4 June 2021 under Commission Implementing Decision (EU) 2021/914, Controller-to-Processor Clauses (Module Two) will apply when Customer is acting as a controller (“EU SCCs”):
        1. for the purposes of Annex I to the EU SCCs, BigCommerce will comply with the obligations of “data importer” and the Customer will comply with the obligations of “data exporter;”
        2. Clause 7 of the EU SCCs, the optional docking Clause will not apply;
        3. the activities of Customer as data exporter, of BigCommerce as data importer, and the details of the data subjects, types of data, special categories of data (if appropriate) and processing operations are as set out throughout this DPA and in the table on page 1 of this DPA;
        4. Clause 3 of this DPA (Subprocessing) shall apply for purposes of Annex III to the EU SCCs and for general written authorization of sub-processors under Clause 9(a) of the EU SCCs (Use of sub-processors);
        5. in Clause 11 of the EU SCCs, the optional language will not apply;
        6. the laws of the Republic of Ireland will govern the EU SCCs (Clause 17) and that the choice of forum and jurisdiction shall be the courts of the Republic of Ireland (Clause 18(b));
        7. for the purposes of Annex I.C. (Competent Supervisory Authority), the Competent Supervisory Authority will be determined in accordance with Clause 13 (a) of the EU SCCs. In case of doubt, the Competent Supervisory Authority will be the Irish Data Protection Commission; and
        8. Exhibit A and Schedule 1 of this DPA shall apply for the purposes of Annex II to the EU SCCs (Technical and Organizational Measures).
      2. If the EU SCCs will be declared invalid the Parties will, to the extent necessary, cooperate in good faith to terminate the transfer or pursue a suitable alternate mechanism that can lawfully support the transfer.
    3. If and to the extent that any Processing of Personal Data subject to the UK GDPR by BigCommerce takes place in any country outside the UK whose laws do not provide an adequate level of data protection and an independently valid data transfer mechanism does not exist, or either party relies on a statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then:
      1. the terms of the International Data Transfer Addendum to the EU SCCs in force 21 March 2022 issued by the UK Information Commissioner’s Office pursuant to S119A(1) of the UK Data Protection Act 2018 (“UK IDTA”) will apply:
        1. for purposes of Part 1 of the UK IDTA, the terms of this DPA, including the relevant roles of the Parties as set forth in Section 1.2(b) and the technical and organizational measures set out in Exhibit A and Schedule 1, shall apply;
        2. the start date of the UK IDTA as set out in Table 1 of the UK IDTA shall be the effective data of the Agreement;
        3. both Customer and BigCommerce shall be allowed to end subscription to the UK IDTA as set out in Section 19 of the UK IDTA; and
        4. for purposes of Part 2 of the UK IDTA, the EU SCCs shall apply.
      2. If the EU SCCs or the UK IDTA will be declared invalid the Parties will, to the extent necessary, cooperate in good faith to terminate the transfer or pursue a suitable alternate mechanism that can lawfully support the transfer.
    4. If and to the extent that any Processing of Personal Data Subject to the jurisdiction of the Swiss Federal Data Protection and Information Commission (“FDPIC”) takes place in any country outside Switzerland whose laws do not provide an adequate level of data protection and an independently valid data transfer mechanism not exist, or either party relies on a statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then
      1. the EU SCCs and cognate roles, activities, and authorizations set forth in Section 1.2(b) will apply, except that:
        1. all references to the GDPR shall be read to include reference to the Swiss Data Protection Act;
        2. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" or "Swiss law" (as applicable);
        3. in Clause 18(c) of the EU SCC the term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
        4. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the FDPIC;
        5. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "FDPIC" and "applicable courts of Switzerland"; and
        6. in Clause 17, the EU SCCs shall be governed by the laws of Switzerland;
      2. If the EU SCCs will be declared invalid the Parties will, to the extent necessary, cooperate in good faith to terminate the transfer or pursue a suitable alternate mechanism that can lawfully support the transfer.
    5. BigCommerce will notify Customer if it can no longer meet its obligation to provide the level of protection required by Data Protection Laws.
    6. For a transfer to Subprocessor outside the EEA or the UK, Art. 44 et seqq. GDPR applies. 
  2. Assistance/Inspections. BigCommerce will make relevant information necessary to demonstrate compliance with Article 28 of the GDPR reasonably available. At Customer’s written request, BigCommerce will, taking into account the nature of Processing and the information available to the Processor, reasonably assist the Customer in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR.
    1. For the avoidance of doubt, Customer agrees and understands that the resources available via the BigCommerce Platform Trust Center (currently available at: security.bigcommerce.com) or its successor page, including but not limited to BigCommerce’s most recent third-party audit attestations, certifications, and reports, will suffice for purposes of any required documentation under this provision.
    2. To the extent the documentation identified in Section 2.1 does not provide sufficient information under Data Protection Laws, then BigCommerce will, at Customer’s expense and subject to reasonable notice, scope, frequency, relevancy, and confidentiality requirements, allow for and contribute to audits, including inspections, conducted by Customer or an appropriately-qualified auditor, provided that the information sought is not reasonably available through less intrusive means. Customer will reimburse BigCommerce for any time expended on such audits or inspections.

Exhibit C

Feedonomics Specific Data Processing Terms

This Exhibit supplements the Data Processing Terms in the Data Processing Addendum for Feedonomics Services as applicable under Data Protection Laws.

  1. Data Transfer. Feedonomics may transfer, Process and store Personal Data in regions in which Feedonomics or its Subprocessors operate, subject to compliance with Data Protection Laws.
    1. If and to the extent that any Processing of Personal Data subject to the EU GDPR by Feedonomics takes place in any country outside the EEA (except if in a country whose laws provide an adequate level of data protection), or either party relies on a statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then:
      1. the Standard Contractual Clauses approved by the European Commission on 4 June 2021 under Commission Implementing Decision (EU) 2021/914 , Controller-to-Processor Clauses (Module Two) will apply when Customer is acting as a controller or or Processor-to-Processor Clauses (Module Three) will apply when Customer is acting as a processor(“EU SCCs”):
        1. for the purposes of Annex I to the EU SCCs, Feedonomics will comply with the obligations of the “data importer” and the Customer will comply with the obligations of “data exporter”;
        2. Clause 7 of the EU SCCs, the optional docking Clause will not apply;
        3. the activities of Customer as data exporter, of Feedonomics as data importer, and the details of the data subjects, types of data, special categories of data (if appropriate) and Processing operations are all as set out in the table on page 1 of this DPA;
        4. Clause 3 of this DPA (Subprocessing) shall apply for purposes of Annex III to the EU SCCs and for general written authorization of sub-processors under Clause 9(a) of the EU SCCs (Use of sub-processors);
        5. in Clause 11 of the EU SCCs, the optional language will not apply;
        6. the laws of the Republic of Ireland will govern the SCCs (Clause 17) and that the choice of forum and jurisdiction shall be the courts of the Republic of Ireland (Clause 18(b));
        7. for the purposes of Annex I.C. (Competent Supervisory Authority), the Competent Supervisory Authority will be determined in accordance with Clause 13 (a) of the EU SCCs. In case of doubt, the Competent Supervisory Authority will be the Irish Data Protection Commission ; and
        8. Exhibit A of this DPA shall apply for the purposes of Annex II of the Appendix to the SCCs (Technical and Organisational Measures).
      2. If the EU SCCs will be declared invalid the Parties will, to the extent necessary, cooperate in good faith to terminate the transfer or pursue a suitable alternate mechanism that can lawfully support the transfer.
    2. If and to the extent that any Processing of Personal Data Subject to the UK GDPR by Feedonomics takes place in any country outside the UK (except if in a country whose laws provide an adequate level of data protection), or either party relies on a statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then:
      1. the terms of the International Data Transfer Addendum to the EU SCCs in force 21 March 2022 issued by the UK Information Commissioner's Office pursuant to S119A(1) of the UK Data Protection Act 2018 ("UK IDTA") will apply:
        1. for the purposes of Part 1 of the UK IDTA, the terms of this DPA, including the relevant roles of the Parties as set forth in Section 1.2(b) and the technical and organizational measures set out in Exhibit A, shall apply;
        2. the start date of the UK IDTA as set out in Table 1 of the UK IDTA shall be the effective data of the Agreement;
        3. both Customer and Feedonomics shall be allowed to end subscription to the UK IDTA as set out in Section 19 of the UK IDTA; and
        4. for purposes of Part 2 of the UK IDTA, the EU SCCs shall apply.
      2. If the EU SCCs or the UK IDTA will be declared invalid the Parties will, to the extent necessary, cooperate in good faith to terminate the transfer or pursue a suitable alternate mechanism that can lawfully support the transfer.
    3. Feedonomics will notify Customer if it can no longer meet its obligation to provide the level of protection required by the Data Protection Laws.
    4. For a transfer to Subprocessors outside the EEA or the UK, Art. 44 et seqq. GDPR applies.
  2. Assistance/Inspections. At Customer’s written request, and to the extent possible and commercially reasonable taking into account the nature of Processing and the information available to the Processor Feedonomics will, reasonably assist the Customer in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR. At Customer’s written request, and no more than once annually, Feedonomics will make relevant information reasonably necessary to demonstrate compliance with Article 28 of the GDPR to Customer. To the extent required by Data Protection Laws and subject to reasonable notice, scope, frequency,relevancy, and confidentiality requirements, Feedonomics will allow for and contribute to audits, including inspections, conducted by the Customer or an appropriately-qualified auditor, provided that the information sought is not reasonably available through less intrusive means. Customer will reimburse Feedonomics for any time expended on such audits or inspections.
  3. Verification of Security Controls. No more than once annually and only on written request of Customer, Feedonomics Holdings will at Customer’s sole cost and expense retain an independent, appropriately-qualified auditor to undertake an assessment of and prepare a report of Feedonomics Holdings' information security management system and information security controls. Feedonomics Holdings will conduct periodic penetration tests of Feedonomics Holdings Systems.