Data Processing Agreement - Glaze Digital & Argento Contemporary Jewellery Ltd

This Data Processing Agreement (“Agreement”) is entered into between:
Argento Contemporary Jewellery Ltd, a company registered in Northern Ireland (the “Controller”), and

Glaze Digital Ltd, a company registered in Northern Ireland (the “Processor”).

This Agreement forms part of the contractual relationship between the parties in relation to the provision of website development and management services for Argento’s Shopify platform.

Definitions

1.1 “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, and “Personal Data Breach” shall have the meanings given in the UK General Data Protection Regulation (“UK GDPR”).

1.2 “Services” means the migration, configuration, and management of Argento’s Shopify website and associated integrations.

2.1 The Processor shall process Personal Data on behalf of the Controller for the purpose of performing the Services described in this Agreement.

2.2 This Agreement shall remain in effect for the duration of the Services and until all Personal Data has been returned or deleted in accordance with Clause 11.

The Processor will process Personal Data as necessary to migrate data from Argento’s IRP platform to Shopify, configure and manage the Shopify website, provide analytics and marketing integrations (Google Analytics, Meta, Email Platform), and deliver ongoing technical maintenance and support.

(a) Categories of Data Subjects: Customers of Argento. (b) Categories of Personal Data: Customer names, contact details, order and transaction history, account details, and marketing preferences. No payment card data is processed by the Processor.

5.1 The Processor shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure persons authorised to process the data are bound by confidentiality obligations;(c) implement appropriate technical and organisational measures to ensure security of Personal Data; (d) assist the Controller in fulfilling its data protection obligations under UK GDPR; (e) notify the Controller without undue delay after becoming aware of a Personal Data Breach; (f) maintain records of processing activities; and (g) not engage any sub-processor without prior written authorisation of the Controller.

The Controller authorises the Processor to engage the following sub-processors for the purposes of performing the Services: - Shopify International Ltd - Google Analytics (Google LLC) - Meta Platforms Inc. - Klaviyo Inc. The Processor shall ensure that all sub-processors are bound by written agreements imposing data protection obligations no less stringent than those contained in this Agreement.

Personal Data may be transferred outside the UK and EEA for the purpose of performing the Services. Such transfers shall be made in accordance with UK GDPR, using appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the Information Commissioner’s Office (ICO).

The Processor shall implement appropriate technical and organisational security measures to protect Personal Data against unauthorised or unlawfulprocessing, accidental loss, destruction, or damage, including access controls, encryption, regular testing, and secure hosting environments.

Both parties shall treat all Personal Data and related information as strictly confidential and shall not disclose it to any third party except as required by law or permitted under this Agreement.

The Controller shall have the right to audit the Processor’s compliance with this Agreement, on reasonable notice and during normal business hours, no more than once per year, unless a suspected breach requires additional review.

Upon termination of the Services, the Processor shall, within 90 days, either return all Personal Data to the Controller or securely delete it, unless retention is required by law.

This Agreement shall be governed by and construed in accordance with the laws of Northern Ireland. Any disputes shall be subject to the exclusive jurisdiction of the courts of Northern Ireland.