Terms of Service – EU

Latest Version Posted: November 4, 2021

PLEASE READ THESE TERMS OF SERVICE CAREFULLY BEFORE USING THIS SITE AND THE SERVICE

IF YOU DO NOT AGREE TO THESE TERMS, DO NOT USE THIS WEBSITE AND DO NOT SIGN UP FOR A PROVIDER ACCOUNT.

This website, including all content made available through the website, (“Site”) is owned and operated by Auctane LLC t/a ShipStation and its affiliates, including its parent company Stamps.com Inc. (collectively, “Provider”), and the services and products (“Services”) provided to you are subject to the following notices, terms, and conditions. “You,” “user”, and “account holder” refer to you as user of the Site and/or Software (as defined below) and/or subscriber to the Services. All references in these Terms (as defined below) to dollars or to “$” are expressed in U.S. currency unless otherwise specifically indicated. Unless otherwise agreed in writing with Provider, your agreement with Provider will always include, at a minimum, the terms and conditions set out in this document and our Privacy Policy (“Privacy Policy”). These terms and the Privacy Policy form a legally binding agreement between you and Provider in relation to your use of Provider’s Services. It is important that you take the time to read them carefully. Provider is firmly committed to protecting the privacy of your personal information and the personal information of your customers. By using the service, you acknowledge and agree that Provider’s collection, usage and disclosure of this personal information is governed by our Privacy Policy.

Collectively, this legal agreement is referred to below as the “Terms.” Provider may, from time to time, modify, amend, or supplement these Terms, and post those changes on the Terms of Service webpage. If you maintain an account balance with ShipStation, under its ShipStation Carrier Services product, also referred to as One Balance™, you hereby agree to and consent to the terms provided in Appendix A, which immediately follows these Terms, and shall become a part of these Terms. Modifications, amendments or supplements to these Terms shall automatically be effective seven (7) days after Provider has posted the modifications. If you do not agree to be bound by (or cannot comply with) these Terms, including the Terms as modified, you agree that your sole remedy is to cease using the Services by canceling your account. Your continued use of the Services constitutes your agreement to be bound by the Terms, including the amended Terms.

SERVICE PRICING

Provider offers multiple types of service plans – including, without limitation, monthly service plans. Your monthly service fee, if any, will be calculated based on the service plan presented to you and agreed to by you during service registration. In addition, you are responsible for all variable and transactional costs of using the service (including but not limited to postage, fees for private carriers, package insurance, items purchased in the online store, if any, fees for additional users, or other special services selected) in addition to your applicable service fee, if any. Your recurring service fee, if any, will be calculated and billed based on the date you register and the terms of your offer. If you have registered for a monthly billing plan (like most users), the monthly billing cycle ends each month after you register. For example, if you register on March 8, and you are provided a free trial offer, the first billing cycle will begin April 8, and the second billing cycle will begin on May 8. Provider bills in advance (i.e., at the beginning of the applicable billing cycle). If you cancel in the middle of a billing cycle you will not be refunded for your service fees and your account will remain available for usage for the full month of cancellation. If you register for a free offer, but wish to avoid incurring the monthly service fee, make sure to cancel your account before the free period ends. To cancel, you may do so online or by contacting [email protected] if you are a resident of Germany or [email protected] if you are a resident of France (“Support”).

ACCOUNT DURATION

Provider reserves the right to cancel your account for lack of use, lack of payment, or breach of these Terms. Following any account cancelation, Provider may maintain certain account settings and information for a limited period of time in the event of account re-activation

ACCOUNT CANCELLATION/TERMINATION

You may terminate or close your account at any time. However, depending on the service plan you selected, certain restrictions or fees may apply, as detailed below. To cancel, you may do so by: 1) accessing your online account or 2) contacting Support.

You will be asked to verify your account information and confirm your intent to cancel your account.

Monthly Service Plan. You are free to end your monthly service plan at any time upon the following conditions:

If you terminate your monthly service plan during the free trial period you will not be charged any service fee.
If you terminate your monthly service plan within the first ninety (90) days from signing up, you will receive a full refund of any monthly service fees paid (you will not be refunded postage or insurance fees).
If you terminate your monthly service plan after the first ninety (90) days, your account will be handled as follows at the discretion of Provider: (i) either a pro-rated/partial refund of that month’s service fee will apply and your account will be closed immediately; or (ii) your account will remain open and accessible until the end of that month’s billing cycle, no refund will be given and the account will be closed and no longer accessible.

In the event you or we terminate your account, or you remain inactive on your account for 12 months or longer, we reserve the right to refund any sums we hold on your behalf (including any balance in a Provider account for ShipStation Carrier Services) and to close your account.

FREE TRIAL OFFER TERMS

If you select to sign up for Provider’s “free trial”, then you will not be charged a service fee for the period of the trial offer; i.e., even if you fail to cancel following the trial period, you will not incur a service fee for the trial time period. At the conclusion of the free trial, if you wish to continue service you must choose a service plan and accept the terms.

During any applicable trial period for service fees, you are responsible for and must pay for any variable transactional fees and costs incurred in using Provider’s or any carrier services – including for, among other things, mailing, shipping, duties and fees, and package insurance purchased, including applicable adjustments following the transaction. In order to use Provider accounts for ShipStation Carrier Services (as more fully described in Appendix A), you must pre-fund your Provider account in an amount equal to or greater than the mailing or shipping service to be purchased.

Terms relating to BETA SERVICES

You may be invited to participate in a beta program or beta service offered by Provider (collectively, “Beta Services”). By agreeing to and complying with these Terms, we grant you a non-exclusive, revocable, non-transferable, limited license to use the Beta Services on an “as is” and “as available” basis. The Beta Services may contain bugs, defects, errors and other problems. YOU ASSUME ALL RISKS AND ALL COSTS ASSOCIATED WITH YOUR USE OF THE BETA SERVICES. TO THE FULLEST EXTENT PROVIDED BY LAW, PROVIDER SHALL NOT BE LIABLE FOR ANY DAMAGES RELATING TO YOUR USE OF THE BETA SERVICES. In addition, we are not obligated to provide any maintenance, technical or other support for the Beta Services.

As part of using the Beta Services, you will be asked to provide feedback regarding your use of the Beta Services. You acknowledge that Provider owns any feedback provided, and you hereby grant to Provider, if for any reason it is further needed, a non-revocable, royalty-free worldwide license to use and/or incorporate such feedback into any of our products or services at any time at our sole discretion, to the extent permitted under applicable law. If we choose to publish such feedback, we will either do so in a way that does not identify you or seek your consent in the event we do wish to identify you. We may also monitor how you use the Beta Services and use that information to improve the Beta Services or our other products and services. By using the Beta Services, you acknowledge and agree that Provider’s collection, usage and disclosure of any personal data is governed by our Privacy Policy.

We reserve the right to modify or terminate the Beta Services, or your use of the Beta Services, to limit or deny access to the Beta Services and/or participation in the Beta Program, at any time, in our sole discretion, for any reason, with or without notice and without liability to you. You acknowledge and agree that the Beta Services constitute confidential information of Provider, which you agree not to share with anyone other than other authorized users of the Beta Services.

METHOD OF PAYMENT

API TERMS

GLOBALPOST TRANSACTIONS

Third Party Partners: Certain shipping transactions may be offered through our affiliate’s GlobalPost service and related services (hereafter, “GlobalPost”). If you ship eligible items to a destination through GlobalPost, you may first be required to ship the item through a third party parcel processing facility which will then route the item to the destination address. You acknowledge and understand that one or more third party global shipping provider(s) may oversee the processing, customs clearance, and shipment of the item so long as it meets the terms and conditions of this program and any other applicable third party requirements. Eligible shipment items and quantities are generally governed by the origin and destination country’s postal regulations, import and export laws, rules and requirements. Ineligible items that are shipped may be returned, seized or destroyed pursuant to such laws, rules and requirements. Please contact us for additional information about eligible items and quantities. You acknowledge and agree that GlobalPost and our third party partners have the absolute discretion to disable the GlobalPost service from your account.

Procedures for GlobalPost Services: Guidelines for GlobalPost services may be found on the GlobalPost website.

Interchangeability of Services Used: Provider may substitute services in its sole discretion, but Provider generally offers substitute services that are similar to the originally selected service. In the event that another service is used, commercially reasonable efforts will be made to maintain a similar service standard.

Fees and Adjustments: The fees for GlobalPost are included in the shipping rates provided to you and the rate charged will be based on the rates that are available for your account. For parcels where you provide incorrect shipping details about the parcel (such as weight, address, dimensions, service type or package type), GlobalPost reserves the right, at its sole discretion, to either (i) deliver the parcel(s) at an increased rate that will be automatically charged to you, (ii) return the parcel(s) to you with the cost of the return and processing of the return charged to you, or (iii) destroy the parcel(s). In the event that the assessed rate cannot be calculated using the GlobalPost rates (for example, in the event that the actual weight of the shipment exceeds the maximum weight supported by the program), you will be charged for the replacement service, if applicable.

Duties and Taxes: Some GlobalPost services offer expedited customs clearance which require full payment of duties and taxes. GlobalPost provides various ways to pay duties and taxes, including and not limited to: (i) duties and taxes are deducted from your account balance; or (ii) duties and taxes are collected by GlobalPost from the recipient before their parcel leaves a GlobalPost processing facility. Improper classification of items in your parcel could result in adjustments to your account balance, an increase in the amount collected from the recipient, delay, disposal, or return. Note that due to international currency changes, the amounts may vary based on currency conversion at the time of your transaction. An additional administration fee related to the collection of duties and taxes may also apply. If your transaction requires the payment of duties and taxes by the recipient and your recipient refuses to pay for those amounts, you may be required to pay for the goods to be returned/destroyed or for other amounts imposed.

Refunds: No refunds shall be applicable for a GlobalPost shipment that has been provided to any carrier. In addition, no rate credits shall be applied in the event your shipment could have qualified for a less expensive rate but you did not select that rate.

Undeliverable Parcels: A parcel is considered undeliverable if (i) the recipient’s address is incomplete, illegible, incorrect or cannot be located, (ii) delivery cannot be made because of the unavailability or refusal of an appropriate person to accept delivery or sign for delivery of the shipment on the initial delivery attempt or reattempts, (iii) the parcel is unable to clear customs, (iv) the recipient refused to pay for duties and taxes as required by that method of delivery, (v) the shipment of the parcel would likely cause damage or delay to other shipments or goods, or cause injury, (vi) the parcel contains restricted, illegal, or otherwise prohibited items, or (vii) the parcel’s contents or packaging are damaged to the extent that re-wrapping is not possible. If the parcel is undeliverable for any reason, we may attempt to notify you and to arrange for the return of the parcel, subject to any local regulatory restrictions. Additionally, we may, in our sole discretion, return the parcel to you or dispose of the parcel. You will be liable for any and all costs, charges and fees incurred in returning or disposing of an undeliverable parcel.

Parcel Coverage: In the event your parcel is lost and/or damaged prior to delivery, the GlobalPost service offers a limited Parcel Coverage program pursuant to the following terms. Note, Parcel Coverage through GlobalPost is not package insurance. Actual package insurance must be added as a separate transaction.

Parcel Coverage may only be requested for parcels that receive one or more GlobalPost tracking events, beyond the initial acceptance event and are either never received by the recipient and/or are damaged.
Parcel Coverage will be limited to the sum of the value of the contents as specified on the customs form at the time of shipment less any salvage value (the total amount not to exceed US$100 unless indicated otherwise) PLUS the amount the shipper paid for shipping fees for the respective GlobalPost service.
Requests for Parcel Coverage must be filed between 30 and 90 days from the original ship date using the claim form available on our website and must be signed by you and the addressee, click here for additional information.
In order for GlobalPost to consider a claim for damage, the contents, original shipping cartons, and all packaging material must be available to us for inspection. Your claim may be denied if the shipment cannot be made available to us or we find the shipment was not adequately prepared according to the GlobalPost Shipment Preparation Guidelines which can be found by clicking here.
Coverage is not applicable to undeliverable and rejected parcels or parcels that contain restricted, illegal, or otherwise prohibited items.
You should review the laws and regulations of the destination country to ensure that your parcel will not be rejected on the basis that it contains restricted, illegal or otherwise prohibited items. In the event that your parcel contains such items, the carrier or customs official reserves the right to dispose of your parcel without any compensation to you.

Appointment of Agent: Pursuant to a routed export transaction under the U.S. Export Administration Regulations, Foreign Trade Regulations and all other applicable laws and regulations respecting export and foreign trade, your recipient, as the Foreign Principal Party in Interest or purchaser of the goods for export, will agree to assume responsibility for the export shipment, with Provider’s third party shipping partner(s) acting as your recipient’s forwarding agent. You remain liable for the accuracy of information you provide about shipments, and you agree to provide timely responses to requests for additional information.

Right of Inspection: You agree that we, our shipping partners, or any governmental authority including customs and security may open and inspect your shipment at any time. You acknowledge and agree that GlobalPost, our shipping partners, or any governmental authority may, at its sole discretion, decide to dispose of a parcel in the event a determination is made that such destruction is required (for example, prohibited items are shipped through GlobalPost or there is suspected fraud associated with the transaction).

Sharing of Information: Notwithstanding anything in the Privacy Policy to the contrary, you consent to the disclosure of certain personally identifiable information, as well as shipping item information, by Provider and its partners to any third party shipping partner utilized as part of the GlobalPost service, and, in addition to other third parties (such as customs and revenue authorities, as well as other government agencies), in connection with the processing, export and customs clearance, and international transportation of any shipment. Provider cannot control the privacy policies of its third party partners or their service providers and you hereby waive any claim related to the disclosure of personally identifiable or shipment information as part of GlobalPost.

Transit Times: Some GlobalPost transactions may include a quoted transit time, which represents an estimate by Provider for the respective service; actual transit times may vary. Weekend days, public holidays, bank holidays, delays caused by customs, delays attributable to compliance with mandatory local security requirements or other events beyond our control are not included when we quote door to door delivery times in our published literature. The route and the method by which we transport your shipment shall be at our sole discretion.

Additional GlobalPost Info: Additional information about GlobalPost, including policies governing eligibility, service delivery times, weight and size restrictions, handling of lost, damaged, and undeliverable items, rates, shipment insurance, returns, and refunds can be found by visiting the GlobalPost website.

CONTENT COPYRIGHT

You acknowledge that (i) content on the Site and content available through the Services is protected by copyrights, trademarks and other intellectual and proprietary rights (“Rights”); (ii) these Rights are valid and protected in all media and technologies existing now or later developed; and (iii) except as explicitly provided otherwise, the Terms and applicable copyright, trademark and other laws govern your use of such content. Any other use, including but not limited to the reproduction, modification, distribution, transmission, republication, display, or performance, of the content on this Site is strictly prohibited.

TRADEMARKS

ShipStation and associated brand names and domain names are trademarks of Provider in the United States and other countries. Provider trademarks and trade dress may not be used in connection with any product or service that is likely to cause confusion among your customers, or in any manner can be interpreted as business disparagement. All marks not owned by Provider are the property of their respective owners. You may not use, and nothing contained on the Site or in these Terms grants, by implication, waiver, estoppel or otherwise, any right to use, any trademark displayed on the Site without the written permission of Provider or the respective owner of such trademark, service mark or logo.

USE OF SITE

This Site, any portion of this Site, and any materials made available by Provider through the Site, may not be reproduced, duplicated, copied, sold, resold, or otherwise exploited for any commercial purpose that is not expressly permitted by Provider. Provider reserves the right to refuse service, terminate accounts, and/or cancel orders in its discretion, including, without limitation, if Provider believes that a user’s conduct violates applicable law or is harmful to the interests of Provider. Any use of content or descriptions; any derivative use of this Site or its contents; and any use of data mining, robots, or similar data gathering and extraction tools are strictly prohibited. In no event shall the user frame any portion of the Site or any content contained therein. By using this Site, you agree that you will comply with all applicable laws and regulations, including U.S., U.K. and European Union export and re-export control laws and regulations, if applicable.

COPYRIGHT INFRINGEMENT

Provider respects the intellectual property of others. Copyright infringement will not be tolerated. If you believe that your work has been copied in a way that constitutes copyright infringement, please alert us at Support.

SOFTWARE AVAILABLE ON THE SITE

Software that is made available from the Site (“Software”) is the copyrighted work of Provider and/or its suppliers. Your use of the Software is governed by the Terms. You may not use any Software or the Site unless you first agree to the Terms, after which Provider hereby grants to you, the user, a personal, nontransferable license to access the Software for viewing and otherwise using the Site in accordance with these Terms, and for no other purpose, provided that you keep intact all copyright and other proprietary notices contained in the Software. All Software is owned by Provider and/or its suppliers and is protected by copyright laws and international treaty provisions. Any reproduction or redistribution of the Software is expressly prohibited by law, and may result in severe civil and criminal penalties. Violators will be prosecuted to the maximum extent possible. WITHOUT LIMITING THE FOREGOING, COPYING OR REPRODUCTION OF THE SOFTWARE TO ANY SERVER OR OTHER LOCATION FOR REPRODUCTION OR REDISTRIBUTION IS EXPRESSLY PROHIBITED. You acknowledge that the Software, and any accompanying documentation and/or technical information, is subject to applicable export control laws and regulations of the U.S. You agree not to export or re-export the Software, directly or indirectly, to any countries that are subject to U.S. export restrictions.

Software usage is subject to compliance with the Terms and is provided for no additional consideration on a non-transferable, limited, revocable, royalty-free basis.

LIMITATION OF LIABILITY

IN THE EVENT PROVIDER IS FOUND TO BE RESPONSIBLE TO YOU FOR DAMAGES IN ANY WAY RELATING TO THIS SITE, THE SERVICES, OR THE SOFTWARE, YOU AGREE THAT PROVIDER’S LIABILITY TO YOU WILL NOT EXCEED THE TOTAL AMOUNT OF YOUR PREVIOUS TWELVE MONTHS’ PLAN COSTS, WHEN APPLICABLE, FOR SERVICES DURING THE PERIOD IN WHICH YOU INCUR SUCH DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. PROVIDER IS NOT LIABLE FOR ANY INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES (SUCH AS LOST PROFITS OR LOST BUSINESS OPPORTUNITIES) OR EXEMPLARY DAMAGES, THE COST OF ALTERNATIVE SERVICES, OR ATTORNEYS’ FEES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.

You should note that, in some circumstances, the liability of a carrier is limited under the Convention of the Unification of Certain Rules Relating to International Carriage by Air (Warsaw, 12 October 1929), Convention of the Unification of Certain Rules Relating to International Carriage by Air (Montreal, 28 May 1999) and the Convention on the Contract for International Carriage of Goods by Road (Geneva, 19 May 1956) or similar international conventions.

DISCLAIMER

THIS SITE, SERVICES, AND SOFTWARE ARE PROVIDED BY PROVIDER ON AN “AS IS” BASIS. PROVIDER MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE OPERATION OF THE SITE OR SOFTWARE, OR THE INFORMATION, CONTENT, MATERIALS, OR PRODUCTS INCLUDED ON THE SITE AND THE SOFTWARE. TO THE FULLEST EXTENT PERMISSIBLE BY APPLICABLE LAW, PROVIDER DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

LINKS TO THIRD PARTY WEBSITES

The Provider and affiliated websites may contain links to third party websites (“Linked Websites”). The Linked Websites are not under the control of Provider and Provider is not responsible for the contents of any Linked Website, including without limitation any link contained in a Linked Website, or any changes or updates to a Linked Website. You should contact the site administrator or webmaster for those Linked Websites if you have any concerns regarding such links or the content located on such Linked Websites. You are responsible for following the terms and conditions of all Linked Websites, including carriers and other third party providers of services.

NO UNLAWFUL OR PROHIBITED USE

As a condition of your use of this Site, you warrant to Provider that you will not use the Site for any purpose that is unlawful or prohibited by these Terms, or the laws and regulations of the jurisdiction in which you are located or to which your envelope or parcel was sent. You may not use the Site in any manner that could damage, disable, overburden, or impair the Site. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available or provided through the Site. Provider reserves the right at all times to disclose any information as necessary to satisfy any applicable law, regulation, legal process or governmental request, or to edit, refuse to post or to remove any information or materials, in whole or in part, at Provider’s sole discretion.

MATERIALS PROVIDED TO THE SITE

Users of the Site may post comments, reviews, and other content and submit suggestions, ideas, or other information, provided the content does not contain any unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, or hateful content or content which is racially, ethnically or otherwise objectionable, or content which infringes upon the rights of any third party. You agree not to impersonate any person and/or other entity or communicate under a false name or a name that you are not entitled or authorized to use. Provider has the right (but not the obligation) to remove, prohibit, edit or discontinue any content on the Site, including content that has been posted by users.

Provider does not claim ownership of the materials you provide to Provider (including feedback and suggestions) or post, upload, input or submit to Provider or its associated services (collectively “Submissions”). However, by posting, uploading, inputting, providing or submitting your Submission you are granting Provider, its affiliated companies and necessary sublicensees, to the extent permitted under applicable law, a non-exclusive, worldwide, irrevocable, royalty-free, sublicenseable (through multiple tiers) right to use your Submission in connection with the operation of its businesses including, without limitation, the rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, reformat, prepare derivative works of, and otherwise exploit your Submission. If we choose to use your Submission, we will either do so in a way that does not identify you or seek your consent in the event we do wish to identify you. No compensation will be paid with respect to the use of your Submission, as provided herein. Provider is under no obligation to post or use any Submission you may provide and may remove any Submission at any time at Provider’s sole discretion. By posting, uploading, inputting, providing or submitting your Submission, you warrant and represent that you own or otherwise control all of the rights to your Submission as described in this Section including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the Submissions and that your Submission is not based on, or derived from, the proprietary information or items of a third party.

GOVERNING LAW

The laws of England and Wales, without regard to conflicts of law provisions, will apply to all matters arising out of or in connection with the Site, the Services and the Software to the exclusion of any other law. By using the Site, Services and Software, you submit to the exclusive jurisdiction of the competent courts of England and Wales and further agree that any cause of action arising out of or in connection with these Terms and/or your use of the Site and/or Services and/or Software shall be brought only in these courts.

If you are a resident of France, the following applies instead of the foregoing paragraph: The laws of France, without regard to conflicts of law provisions, will apply to all matters arising out of or in connection with the Site, the Services and the Software to the exclusion of any other law. By using the Site, Services and Software, you submit to the exclusive jurisdiction of the competent courts under the jurisdiction of the Paris Court of Appeal and further agree that any cause of action arising out of or in connection with these Terms and/or your use of the Site and/or Services and/or Software shall be brought only in these courts.

In the event of a dispute, prior to filing a claim court, the party asserting the claim must first send to the other, by certified mail with return receipt requested (or any successor service), a written Notice of claim (“Notice”). If you are the claimant, the Notice to Provider must be addressed to: Auctane LLC / Dispute Resolution, 4301 Bull Creek Rd, Suite 300, Austin, Texas 78731, USA, with a cc to Legal Department – Dispute Resolution, Auctane LLC, 1990 E. Grand Ave., El Segundo, CA 90245, USA. If Provider is the claimant, the Notice must be addressed to the address used for your account. The Notice must (a) describe the nature and basis of the claim or dispute; and (b) set forth the specific relief sought. Following receipt of the Notice, each party agrees to negotiate with the other in good faith about the claim. If the claim is not resolved to the satisfaction of the claimant within sixty (60) days after Notice is provided, the claimant may file a claim court.

PROHIBITED ACTIVITIES

TERMS REGARDING 3RD PARTY SHIPPING INSURANCE

PROCESSING OF PERSONAL DATA GOVERNED BY THE EU General Data Protection Regulation (“GDPR”)

Additionally, if: (a) you are established in the European Union (“EU”); (b) you provide goods or services to customers in the EU; or (c) you are otherwise subject to the requirements of the GDPR, Provider’s collection, use and storage of Personal Data in this case is also subject to the following rules. All defined terms not otherwise defined herewith shall be interpreted in accordance with the GDPR.

Provider may be led to process certain Personal Data relating to your employees, agents and/or legal representatives for the purposes of providing the Services, carrying out administrative operations related to contract management, invoicing and payment, maintaining Provider’s commercial relationship with you and managing possible claims or litigations. Such processing will be carried out by Provider as independent data controller in accordance with our Privacy Policy. Provider may share the Personal Data with its agents or subcontractors or affiliates or other third party service providers for the sole purpose of providing or improving the Services.

Furthermore, as part of the provision of the Services, Auctane LLC (“ShipStation”) may be led to process certain Personal Data you provide to it, including Personal Data of your customers, in a capacity as data processor acting on your behalf and under your instructions. In this context, ShipStation will be designated by the term “Processor” in the following provisions. The characteristics of the processing carried out by Processor in this context are detailed in Appendix B.

Before you provide Personal Data of your customers or that of other individuals to Processor in order for Processor to provide Services, you must be in compliance with the GDPR.

In relation to any Personal Data provided by you to Processor:

(i) You warrant, undertake and confirm that you have grounds for sharing the Personal Data with Processor as envisaged;

(ii) You process the Personal Data in a capacity of data controller, in compliance with all applicable laws;

(iii) You consent to its use and you have obtained any necessary consents from, and have provided any necessary information to the receiver of the goods (your customer) as required under the GDPR, in relation to the sharing with Processor, as well as to the sharing by Processor to its own subprocessors and third parties, including in particular the carriers, of the details required to complete the services requested, including but not limited to name, address, email address, mobile telephone number, and contents of package;

(iv) You have made your customers aware that such details may be used by Processor to enhance the delivery process for your customers and it may use notifications and geodata for that purpose. This may involve Processor sharing such details with limited third parties’ data processors, for the purpose of completing the requested services; and

(v) You have told your customers that you use the Provider’s services and provided them with any appropriate information notice as required under the applicable laws regarding the protection of Personal Data.

Personal Data that originates in the EU will be stored in the EU. As part of providing the Services, you agree that this Personal Data may be transferred to the U.S. where Provider is established, as well as in other regions where Providers’ subprocessors may be established, subject to the implementation of appropriate safeguards as required under the GDPR. The transfer of Personal Data from you to Provider in the U.S. is governed by the Standard Contractual Clauses of the EU Commission attached in Appendix C. The list of other non-EU countries in which the Personal Data may currently be processed by Provider’s subprocessor, which mentions the applicable appropriate safeguards, is available to you at https://www.shipstation.com/fr/subprocessors. By agreeing to these Terms, you agree to the Standard Contractual Clauses of the EU Commission attached as Appendix C and you give your authorization to the transfers to other non-EU countries which are described in this list. If the Processor intends to implement a new transfer of Personal Data into a non-EU country, you will be informed in advance and will be entitled to notify your objection within five (5) business days, based on objective and articulated grounds linked to the compliance with data protection laws. The absence of objection notified within this period will be deemed an authorization on your part to proceed with the transfer.

Data Processing Agreement Between You and Processor

Where Processor acts as a Data Processor for processing of Personal Data governed by the GDPR, Processor will:

Process the Personal Data as a Data Processor, only for the purposes and according to the other characteristics detailed in Appendix B, in accordance with the documented instructions from you, and as may subsequently be agreed to by you (provided that such instructions are commensurate with the functionalities of the services). If Processor is required by law to Process the Personal Data for any other purpose, Processor will provide you with prior notice of this requirement, unless Processor is prohibited by law from providing such notice;
Notify you if, in Processor’s opinion, your instruction for the processing of Personal Data infringes the GDPR;
Notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Data Subject or Supervisory Authority relating to Processor’s Processing of the Personal Data, including a Data Subject’s request for the exercise of its rights under the GDPR;
Implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
Notify you promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data, and, on your request, providing you with information reasonably available to Processor and strictly necessary for the notification of the data beach to the competent supervisory authority and, where applicable, to data subjects; and
Ensure that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose Personal Data.
On your request, provide reasonable assistance in ensuring compliance with the obligations to conduct data protection impact assessments and to consult the competent data protection authorities, considering the nature of processing and the information available to the processor. The costs related to any assistance request requiring more than two hours of work by Processor’s personnel shall be borne by you. In such a case, Processor will send you a quote that will have to be accepted by you in writing prior to the start of Processor’s assistance work;
Delete (or return to you, as requested by you in writing to us) all the Personal Data after the end of the provision of the Services relating to the processing, and delete existing copies unless the applicable law requires storage of the Personal Data;
Make available to you all information necessary to demonstrate compliance with the obligations laid down in this Section and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. The auditor shall sign sufficient confidentiality agreements prior to the audits or inspection. You have the right to perform one audit or inspection per year and agree that you shall bear all related costs. If you are a resident of Germany or France, the following applies instead of the foregoing: you have the right to perform audits or inspections, and Provider shall contribute to such audits, including inspections, at no cost.

In the course of providing the services, you acknowledge and agree that Processor may use subprocessors to Process the Personal Data. The list of subprocessors currently used by Processor is available to you at https://www.shipstation.com/fr/subprocessors. If Processor intends to add or replace a subprocessor, you will be informed in advance and may object within five (5) business days. Such objection may only relate to objective and articulated grounds linked to the compliance with data protection laws. Processor’s use of any specific subprocessor to process the Personal Data must be in compliance with the GDPR and must be governed by a contract between Processor and subprocessor including provisions at least equivalent to the provisions in this Section.

You agree to fully indemnify Processor, for any costs, fees, fines, and professional fees incurred due to a breach by you of the provisions of this Section.

MISCELLANEOUS

The following miscellaneous terms are fully applicable and important. Please read them with the same degree of care you read the preceding provisions.

ACCOUNT ACCESS: All transactions originating from your account are your responsibility. Please be mindful of whom is given access to the account, as the account holder is responsible for all charges incurred.

ACCOUNT DELINQUENCY: If you fail to pay your monthly service fee for three months or longer or you maintain a negative account balance, Provider may elect, in its sole and absolute discretion, to terminate your account. In this event, in addition to all other fees due and owing, Provider may charge a processing fee.

AUTHORITY: By completing the registration process, you agree to pay all fees incurred on your account in accordance with the terms of the service plan selected by you. If you change service plans or your account is automatically converted pursuant to this section of the Terms, you agree to be bound by the payment terms of the new plan. If a Provider account is established for a business or other entity, the person establishing the account represents that he or she has all necessary authority to establish an account with Provider on behalf of the business or other entity who is the responsible account holder.

COLLECTION: Each party agrees that if timely payment by the other of any amounts due is not made, the aggrieved party may pursue the claim directly or assign such claim for collection, and the collection agency may pursue the collection of the past due amounts and any interest or cost of collection permitted by law.

CREDIT VERIFICATION: Provider reserves the right to verify the credit of all persons or companies applying for services.

NO SUBLICENSE OR THIRD PARTY USE: You may use your Provider account for transactions for your own direct use. Provider does not grant the right to sublicense, resell, offer, or utilize any Provider products or services such that Provider products or services are stored, loaded, installed, combined, integrated or displayed as part of a product or software offering (including as part of an application programming interface) of yours to other third party products and services. Provider does not allow you to sublicense, resell, offer, or utilize Provider products or services to third parties (including customers of yours). If Provider determines, in its sole and absolute discretion, that you have violated the foregoing limitations, Provider reserves the right to immediately suspend or terminate your service/account (without notice).

ORDER ACCEPTANCE/REJECTION: Provider reserves the right at any time after receipt of an order for products or services to accept or decline the order for any reason.

RELOCATION: You agree to provide updated address information to Provider in the event of relocation.

RISK OF LOSS: The risk of loss and title for non-postage products purchased from Provider passes to you upon our delivery of the purchase to our common carrier for delivery to you.

SALES AND VALUE ADDED TAXES: If required by applicable law, sales / value added tax (VAT) is charged/collected on purchases. You are responsible for the payment of all sales, use, VAT, or other taxes owed on products or taxable items utilized regardless of whether such taxes are collected by Provider at the time of purchase.

SEVERABILITY: If any provision of these Terms is held to be invalid or unenforceable, such provision will be deemed to be restated to reflect as nearly as possible the original intention in accordance with applicable law, and the remainder of the Terms will remain in full force and effect. These Terms constitute the entire agreement between the parties with respect to the subject matter hereof and supersedes and replaces all prior or contemporaneous understandings or agreements, written or oral, regarding such subject matter. Any waiver of any provision of the Terms will be effective only if in writing and signed by Provider. The failure to enforce any right under these Terms shall not be a waiver of the provision or the right to enforce it at a later time.

THIRD PARTY TERMS AND CONDITIONS: If You access or select a carrier or a partner through the Site, you are responsible for following the terms and conditions of such third party. Please visit each individual website to obtain and review the applicable third party’s terms and conditions. Use of carrier services and partner services via the Provider platform is at your own risk. Provider is not responsible for your use of such carrier services and partner services. Your use of such services is as a direct customer of the specific third party of your choosing and you agree to be bound by the terms and conditions of that third party for use of services, including the payment of any fees associated and, with respect to a carrier, the carrier’s right to open, inspect and assess your package before and after collection.

SITE MISTAKES: Although we make reasonable efforts to provide accurate pricing information and product descriptions, pricing mistakes, typographical errors or mistakes regarding product availability may occur. We reserve the right to correct such mistakes and errors.

VIOLATIONS OF LAW: Provider services may not be used in violation of any law or in any way that interferes unreasonably with others’ use of the services.

APPENDIX A

Additional Terms Related to ShipStation Carrier Services, also referred to as One Balance™

This Appendix A to the ShipStation Terms of Service is applicable for all users of ShipStation Carrier Services, also referred to as One Balance. If there is a conflict between the Terms and Appendix A, the terms of Appendix A shall control. All defined terms not herein defined are defined in Terms. Please our webpage on ShipStation Carrier Services for an article describing the services that are offered.

ShipStation Carrier Services will allow you to maintain an account balance with Provider, such that payment for various carriers and services can be provided by Provider on your behalf, using rates provided to Provider by the carriers or partners of Provider. You hereby authorize Provider to maintain a carrier account for you that will only be valid on the ShipStation Carrier Services platform and will not be portable or transferable outside ShipStation Carrier Services, unless allowed by Provider and the individual carrier, at their sole discretion. Prior to accessing each carrier through ShipStation Carrier Services, you must accept any terms and conditions required by such carrier for their services. You are not required to accept accounts from each carrier offered by ShipStation Carrier Services, as you will be able to opt out of any carriers that you do not intend to use, or for which you have a pre-existing relationship. You may not use your own account number, not created through a relationship with Provider, within ShipStation Carrier Services and instead must use the standard Provider platform. Notwithstanding anything in this Appendix A to the contrary, all applicable carrier rules and terms shall be applicable for the services provided and Provider accepts no liability or responsibility for the failure of delivery or failure of the services of any carrier.

PROVIDER ACCOUNTS

You must pay for any variable transactional fees including for, among other things, mailing, shipping, duties and fees, and package insurance purchased in addition to Provider’s service fee. In order to use Provider accounts for any mailing and shipping services, you must pre-fund your Provider account in an amount equal to or greater than the mailing or shipping service to be purchased. All purchases, debits and adjustments will be reflected in your Provider account balance. Please note that your Provider account is managed by Provider, through Stamps.com Inc., and although our records will account for the amounts that you have posted, the funds are maintained in a pooled account. In the event of any losses, failure or other insolvency of the bank used, Provider may be afforded FDIC or other relevant banking insurance on the account, (individual account holders are not entitled to such insurance) and Provider may then allocate any insurance proceeds for all account holders; however, you may not be entitled to receive a refund of all amounts posted with Provider. In the event of any failure or insolvency of Provider, because the amounts held in your Provider account are not insured, they may not be fully refunded.

Provider accounts will be used to fund purchases by users of ShipStation Carrier Services, as well as shipping charges from other carriers.

When you pre-fund your account to conduct mailing and shipping transactions, the funds you provide will be processed by Provider and deposited in its general account and reflected in your account balance. Your account balance may be utilized for any service provided by ShipStation Carrier Services, including shipping with multiple carriers, insurance and your monthly service fee. Purchases made through the Provider store for supplies may be billed to your main user account or a new account specifically for Store purchases may be required, at Provider’s discretion.

You acknowledge and agree that all mailing and shipping transaction pricing through a Provider user account is controlled by Provider. Provider business partners, including mailing and shipping carriers, consolidators, resellers, wholesalers, among others, provide certain rates that may be made available through ShipStation Carrier Services by Provider in its sole and absolute discretion.

We do not always provide the lowest rates that may be available for your transaction, as rates are dependent on the service you choose and a variety of factors driven by your actions in using our software and by decisions from ShipStation and other business partners of ShipStation. You agree to the rate provided and displayed at the time of the transaction, as that amount may fluctuate. No refunds shall be applicable to transactions that could have been obtained at a less expensive rate, unless the transaction qualifies for a refund as provided for elsewhere in our terms.

ACCOUNT FUNDING

Provider accounts will be used to fund purchases by users of ShipStation Carrier Services, as well as shipping charges from other carriers.

COST ADJUSTMENT TRANSACTIONS

Provider accounts will be used to fund purchases by users of ShipStation Carrier Services, as well as shipping charges from other carriers.

USER REFUNDS FOR UNUSED OR MISPRINTED TRANSACTIONS; DESTRUCTION OF UNUSED OR MISPRINTED TRANSACTIONS

You may request a refund for mailing and shipping unused transactions through ShipStation Carrier Services, subject to the following rules and limitations, for any unused or misprinted items:

AUTHORIZED USER REQUEST: You acknowledge and agree that Provider and/or its authorized partners, to the extent necessary by any carrier service, is appointed to act on your behalf to request and obtain refunds. In addition to Provider’s refund requirements set forth in this agreement, refund requests are further subject to the rules and requirements of Provider’s third party carrier services. Provider makes no guarantee that a refund will be made.

UNUSED OR MISPRINTED CARRIER LABELS: Unused and/or misprinted pre-paid carrier shipping labels shall be defined as an envelope, label, plain paper containing carrier-compliant labels, or electronic image files, with full, intact indicium which is scan-able and unused. Labels handled and/or returned to sender shall not be considered a valid unused and/or misprinted label.

TIME LIMIT: You must complete the refund request within the time limit required by each carrier. Please see each carrier’s terms and conditions on their website for additional information. If you have any questions or need additional information, please visit us online or email Support.

ACTIVE ACCOUNT REQUIRED: Your account must be active and in good standing to request a refund and at the time the refund is to be credited to your account, in order for the refund to be processed and your account to be credited.

REFUND PROCESS: Please visit our refunds webpage to learn how to submit your refund request. You must follow all of the steps listed and provide all of the required information to initiate and complete your refund request, including the return or destruction, if required, of the printed or misprinted but unused mailing and shipping labels. Incomplete requests will not be processed.

REFUND REJECTIONS: You take the risk of the carrier partner improperly rejecting a refund request. Provider will not refund the transaction unless the relevant carrier partner approves the refund.

REIMBURSEMENT OF PROVIDER ACCOUNT: If a refund request is properly initiated by you within the timeframe required pursuant to Provider and carrier requirements, your account is active and in good standing, and the relevant carrier approves the refund, Provider will credit your account for the full value of the transaction to be refunded, as approved by the carrier. Refund processing times may vary. If you have an outstanding balance in any amount (including but not limited to for unpaid service fees or unpaid termination fees) you may not receive any reimbursement credit until your account is brought current. In addition, Provider may, in its sole and absolute discretion, deduct such unpaid fees from any refund otherwise due.

PAY-ON-USE SHIPPING LABELS

Provider’s Pay-on-Use shipping label feature, hereafter referred to as “Pay-on-Use” is a program offered to qualified Provider users. This program enables such qualified Provider users to print service shipping labels (either outbound or returns) for which shipping charges are paid when the label is scanned by the carrier in the mail stream (known as Pay-on-Use), rather than at the time the label is printed (known as pre-paid).

Payments: Provider will automatically debit the applicable account balance for shipping charges and any applicable transaction fees for any Pay-On-Use label that is scanned by the carrier in the mail stream. Because rates can vary over time, you hereby agree that the shipping charges debited from your account balance may be calculated based on the customer rate at the time the label is scanned by the carrier in the mail stream, not at the time the label is printed. In addition to shipping charges and other applicable account fees, Provider reserves the right to charge additional fees for participation in the Pay-On-Use Program. You are responsible for paying for any Pay-On-Use label that is scanned before the applicable label’s expiration date (expiration dates vary by carrier).

Restrictions: Pay-on-Use labels designated as return labels shall not be used as original outbound shipping labels. Pay-On-Use labels are not eligible for refunds. If you participate in the Pay-On-Use program, you may be required to maintain balance sufficient to cover the cost of the Pay-On-Use labels. Your access to the Pay-On-Use program may be disabled immediately if Provider determines, in its sole discretion, that your account is delinquent or that you are misusing the Pay-On-Use program.

Termination: Even after your account is terminated (by you or Provider), you must still pay for any Pay-On-Use labels that are scanned before the labels’ expiration dates.

CARRIER TERMS

You agree to be bound by the terms and conditions of each carrier and partner accessed through the Provider platform, and must accept such terms and conditions prior to using such carrier’s services. Please note that each carrier may change their terms and condition within their sole discretion, and we strongly suggest that you visit each carrier’s website regularly, to familiarize yourself with each company’s individual terms and conditions, as well as any potential changes, prior to using each service.

APPENDIX B

Characteristics of the Processing of Personal Data Carried Out by Processor on Your Behalf

Subject-Matter	Managing shipping and returns
Nature	Processing operations including the collection, recording, organization, storage, use, transmission of personal data etc.
Purposes	(i) Selecting carrier rates based on the addresses of expedition and receipt; (ii) creating expedition labels; (iii) transmitting the personal data to third party carriers and partners acting as independent data controllers for the purpose of making the deliveries; (iv) following-up returns by customers; (v) tracking deliveries.
Categories of Personal Data	Identification data (including first name, surname, date of birth (to the extent applicable, e.g., to comply with age requirements on certain deliveries) etc.); contact information (including postal address, email address, telephone number).
Categories of Data Subjects	Your customers
Duration	The shortest duration between (i) your deletion of the Personal Data within the platform and (ii) the end of our contractual relationship.

APPENDIX C

Standard Contractual Clauses of the EU Commission – Transfer of Personal Data from you to Provider in the U.S. (Controller to Processor)

SECTION I

Clause 1

Purpose and scope

The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
- The Parties:
  - the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
  - the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
- The Sub-Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Sub-Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
- These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 – Clause 8.1(b), 8.9(a), (c), (d) and (e);
- Clause 9 – Clause 9(a), (c), (d) and (e);
- Clause 12 – Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 – Clause 18(a) and (b);
- Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
- These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
- These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Sub-Appendix and signing Annex I.A.
- Once it has completed the Sub-Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
- The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
- The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Sub-Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Sub-Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
- The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
- the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
- the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
- The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
- The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
- The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
- The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 5 business days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
- Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
- The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
- The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
- The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
- The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
- In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
- In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
  - lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
  - refer the dispute to the competent courts within the meaning of Clause 18.
- The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
- The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
- The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
- The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
- Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
- The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
- Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
- The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
- The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
  - the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
  - the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
  - any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
- If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
- The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
- Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
- The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
- The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
  - the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
  - the data importer is in substantial or persistent breach of these Clauses; or
  - the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
- The Parties agree that those shall be the courts of Ireland.
- A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
- The Parties agree to submit themselves to the jurisdiction of such courts.

SUB-APPENDIX

ANNEX I

A. LIST OF PARTIES

1. Data exporter:

Name: The person or entity identified as “you”, “user”, or “account holder” in the Terms.

Address: The address for account holder associated with his/her/its Shipstation account or as otherwise specified in writing between the Parties.

Contact person’s name, position and contact details: The contact details associated with account holders’s account, or as otherwise specified in writing between the Parties.

Activities relevant to the data transferred under these Clauses: The activities specified in Appendix B of the Terms.

Signature and date: Account holders’ continued use of the Services (as defined in the Terms) constitutes account holders’ agreement to be bound by the Terms, including these Clauses.

Role (controller/processor): Controller.

2. Data importer(s):

Name: Auctane LLC.

Address: 4301 Bull Creek Road, Suite 300, Austin, TX 78731, USA.

Contact person’s name, position and contact details: Legal Department, [email protected].

Activities relevant to the data transferred under these Clauses: The activities specified in Appendix B of the Terms.

Signature and date: Auctane LLC’s provision of the Services (as defined in the Terms) to account holder constitutes Auctane LLC’s agreement to be bound by the Terms, including these Clauses.

Role (controller/processor): Processor.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The category of data subjects is described in Appendix B of the Terms.

Categories of personal data transferred

The categories of personal data transferred are described in Appendix B of the Terms.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous.

Nature of the processing

The nature of the processing is described in Appendix B of the Terms.

Purpose(s) of the data transfer and further processing

The purposes are described in Appendix B of the Terms.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The criteria used to determine the retention period are described in Appendix B of the Terms.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the processing are described in Appendix B of the Terms.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Measure	Description
Measures of pseudonymization and encryption of personal data	Data at rest encrypted using AES-256 algorithm. Employee laptops are encrypted using full disk AES-256 encryption. HTTPS encryption on every web login interface, using industry standard algorithms and certificates. Access to operational environments requires use of secure protocols such as HTTPS. Data that resides in Amazon Web Services (AWS) encrypted at rest as stated in their respective whitepapers. In particular, AWS instances and volumes are encrypted using AES-256. Encryption keys via AWS Key Management Service (KMS) are IAM role protected, and protected by AWS-provided HSM certified under FIPS 140-2.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Virtual Private Network (VPN) for access to production resources. Strong access controls based on the use of the ‘Principle of Least Privilege’. Differentiated rights system based on security groups and access control lists. Employees are granted only the amount of access necessary to perform job functions. Unique accounts and role-based access within operational and corporate environments. Access to systems restricted by security groups and access-control lists.Removal of access for employees upon termination or change of employment. Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources. Strong and complex passwords required. Initial passwords must be changed after the first login. Passwords are never stored in clear-text and are encrypted in transit and at rest. Account provisioning and de-provisioning processes. Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse. Confidentiality requirements imposed on employees. Mandatory security trainings for employees.Non-disclosure agreements with third parties.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Backups regularly performed and tested. Redundancy and backups performed via AWS Controls.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	User activity including logins, configuration changes, deletions and updates are written automatically to audit logs in operational systems. Certain activities are not available directly to customers such as timestamps, IPs, login/logouts, and errors. These logs are available only to authorized employees, stored off-system, and available for security investigations.All logs can be accessed only by authorized employees and access controls are in place to prevent unauthorized access. Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access through use of access controls and security measures. Network segmentation and interconnections protected by firewalls. Annual penetration testing for all components of the Auctane SaaS, including web and mobile applications.
Measures for user identification and authorization	Access to operational and production environments is protected by use of unique user accounts, strong passwords, use of Multi-Factor Authentication (MFA), role-based access, and least privilege principle.Authorization requests and provisioning is logged and tracked in a ticketing system. Customer-generated OAuth tokens are stored in an encrypted state.Keys required for decryption of those secrets are stored in a secure, managed repository (such as AWS KMS) that employs industry-leading hardware security models that meet or exceed applicable regulatory and compliance obligations. Access keys used by production applications (e.g. AWS Access Keys) are accessible only to authorized personnel. They are rotated (changed) as required (e.g., pursuant to a security advisory or personnel departure) and at least yearly. User activity in operational environments including access, modification or deletion of data is being logged. Web Application Firewall (WAF), in addition to the network-based firewalls.
Measures for the protection of data during transmission	HTTPS encryption for data in transit. Internal networks are contained within AWS, protected by AWS Network Access Control Lists (NACLs) and AWS Security Groups (SGs); when appropriate VPN is used to access data or over a secure private gateway (also provided by AWS).
Measures for the protection of data during storage	Auctane customer instances are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged. Measures are in place to ensure executable uploads, code, or unauthorized actors are not permitted to access unauthorized data – including one customer accessing files of another customer. Endpoint security software. System inputs recorded via log files. Access Control Lists (ACL). Multi-factor Authentication (MFA).
Measures for ensuring physical security of locations at which personal data are processed	Shared Responsibility Model with AWS: https://aws.amazon.com/compliance/shared-responsibility-model/ Physical access to all restricted facilities is documented and managed. All information resource facilities (e.g. network closets and storerooms) are physically protected in proportion to the criticality or importance of their function. Access to information resource facilities is granted only to company personnel and contractors whose job responsibilities require access to those facilities. The process for granting card and/or key access to information resource facilities includes the approval of the person responsible for physical facility management. Everyone granted access rights to an information resource facility must sign the appropriate access and non-disclosure agreements. Access cards and/or keys must not be shared or loaned to others. Access cards and/or keys that are no longer required are returned to the person responsible for physical facility management. Cards must not be reallocated to another individual, bypassing the return process. Lost or stolen access cards and/or keys must be reported to the person responsible for physical facility management as soon as practical. Card access records and visitor logs for information resource facilities are kept for routine review based upon the criticality of the information resources being protected. The person responsible for information resource physical facility management removes the card and/or key access rights of individuals that change roles within the organization or are separated from their relationship with the organization. Visitors in card access-controlled areas of information resource facilities must always be accompanied by authorized personnel. The person responsible for physical facility management reviews card and/or key access rights for the facility on a periodic basis and removes access for individuals that no longer require access. Equipment is protected to reduce the risks from environmental threats, hazards, and opportunities for unauthorized access.
Measures for ensuring events logging	Remote logging.
Measures for ensuring system configuration, including default configuration	Auctane has in place a Change Management Policy.Auctane monitors changes to in-scope systems to ensure that changes follow the process and to mitigate the risk of un-detected changes to production. Changes are tracked in our change platform.Access Control Policy and Procedures.Mobile device management.
Measures for internal IT and IT security governance and management	Auctane has established an Information Security Management Program in line with the SOC 2 standard. Information-related business operations continue to be carried out in line with the SOC 2 standard. Auctane has in place a written information security policy, including supporting documentation. Other written security policies that Auctane has in place include the following: Application Security Policy SLA & Availability Policy System Change PolicyData Classification PolicySDLC PolicyBusiness Continuity PlanDisaster Recovery Policy Encryption Policy Incident Response Policy Password PolicyData Backup & Retention Policy Vendor Management Policy Workstation Policy Privacy Policy Access On-boarding and Termination Policy Privileged Access Policy Open Source Software Approval Vulnerability Management Policy The authority and responsibility for managing Auctane’s information security program has been delegated to the Director of Security and Compliance, who is authorized by senior management to take actions necessary to establish, implement, and manage Auctane’s information security program.
Measures for certification/assurance of processes and products	Auctane is currently undergoing a SOC 2 Type 1 audit.
Measures for ensuring data minimization	Detailed privacy assessments are performed related to implementation of new products/services and processing of personal data by third parties. Data collection is limited to the purposes of processing (or the data that the customer chooses to provide). Security measures are in place to provide only the minimum amount of access necessary to perform required functions. Data retention time limits restricted. Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.
Measures for ensuring data quality	Auctane has a process that allows individuals to exercise their privacy rights (including a right to amend and update information), as described in Auctane’s Privacy Policy. Applications are designed to reduce/prevent duplication. Many application level checks are in place to ensure data integrity. QA team that helps to ensure these items are working as designed and implemented before reaching our production environment.
Measures for ensuring accountability	Customer Privacy Assessments are required when introducing any new product/service that involves processing of personal data. Data protection impact assessments are part of any new processing initiative.
Measures for allowing data portability and ensuring erasure	Ability to export all data from Auctane. Auctane has a process that allows individuals to exercise their privacy rights (e.g. right of erasure or right to data portability), as described in Auctane’s Privacy Policy.

Want to learn more about ShipStation?

View Features Schedule a Demo