OPENCHANNEL DATA PROCESSING POLICY

At StockTree Inc.(“OpenChannel”, “we”, “our” and “us”) we are committed to protecting your data rights and support a general policy of openness about how we collect, use and disclose your personal information.

The purpose of this Data Processing Policy (DPP) is to inform you about OpenChannel’s practices relating to the collection, use and disclosure of personal information that may be provided through access to or use of our websites, including the website located at https://openchannel.io (collectively referred to as the “Website”) as well as our services and related products (collectively referred to as the “ Services”), or that may otherwise be collected by us. By using our Services or Website, you consent to the collection, use and disclosure of your personal information (as defined below) in accordance with the following terms and conditions.

This Data Processing Policy also explains how you can contact us if you have a question about, want to make a change to or delete any personal information that OpenChannel may be holding about you. We strongly recommend that you take the time to read this Data Processing Policy and retain it for future reference.

HOW THIS DPP APPLIES

Customer enters into this DPP on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent OpenChannel processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPP only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.

In the course of providing the Services to Customer, OpenChannel may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

This DPP is only valid and legally binding if the Customer entity signing it is a party to an Agreement (defined below) and is a data controller.

This DPP consists of the below Data Processing Policy and Standard Contractual Clauses have been pre-signed by OpenChannel. Any modifications to the terms of this DPP (whether handwritten or otherwise) will render this DPP ineffective unless OpenChannel has separately agreed to those modifications in writing.

This Data Processing Agreement (“DPP”) forms part of the Agreement between OpenChannel and Customer (jointly “the Parties”), and reflects their agreement with regard to the Processing of Personal Data in accordance with the requirements of the Data Protection Laws and Regulations.

1. Definitions

1.1. “Agreement” means any agreement between OpenChannel and a specific customer under which Covered Services are provided by OpenChannel to that customer. Such an agreement may have various titles, including but not limited to “Marketplace Hosting Services Agreement,” “Sales Order,” “Terms of Service” or “Master Services Agreement.”

1.2. “Authorized Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services by Customer, but has not signed its own Agreement with OpenChannel and is not a "Customer" as defined under the Agreement. Such Authorized Affiliates may have various titles, including but not limited to “Partner,” “Developer,” “Third Party Developer,” “Partner Ecosystem,” or “End User”

1.3. “Covered Services” means services that are ordered by the Customer from OpenChannel.

1.4. “Customer” means the entity which determines the purposes and means of Processing of Personal Data.

1.5. “Data Protection Laws and Regulations” means all applicable laws which govern the use of data relating to identified or identifiable natural persons, including the laws of the European Union (“EU”) Data Protection Act 1998, the EU General Data Protection Regulation (“GDPR”), as amended or replaced from time to time, and any other foreign or domestic laws to the extent that they are applicable to a Party in the course of its performance of the Agreement.

1.6. “Personal Data” means any personal data, as defined in the Data Protection Laws and Regulations, which is provided by or on behalf of Customer and Processed by the Processor pursuant to the Agreement.

1.7. “Permitted Purpose” means the use of the Personal Data to the extent necessary for provision of the Services by the OpenChannel to the Customer as more particularly set out in Schedule 1 to in Appendix 2 to this DPP.

1.8. “Security Incident” means any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of, Customer’s Personal Data.

1.9. “Standard Contractual Clauses” means the agreement executed by and between the Customer and OpenChannel, and attached as Appendix 2 pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of Personal Data to Processors established in third countries to which do not ensure an adequate level of data protection, and any new Standard Contractual Clauses applicable between controllers and processors issued after the Agreement’s effective date.

1.10. “Sub-processor” means any data Processor engaged by OpenChannel.

1.11. Terms such as “Data Subject”, “Processing”, “Controller”, “Processor” and “Supervisory Authority” shall have the meaning ascribed to them in the Data Protection Laws and Regulations.

2. Services

2.1. OpenChannel may process Personal Data on behalf of Customer as part of provision of the Services to Customer.

2.2. This DPP supplements the Agreement and in the event of any conflict between the terms of this DPP and the terms of the Agreement, the terms of this DPP prevail.

2.3. Any provisions contained in this DPP that would not apply to the Parties but for the GDPR shall not apply to the Parties until May 25, 2018 and thereafter. For clarity, such provisions in this Agreement are preceded with, “Upon enforcement of the GDPR.”

3. Data Protection Laws and Regulations

3.1. Customer acknowledges and agrees that OpenChannel will Process the Personal Data in the capacity of a Data Processor (or a Processor under the GDPR) and that Customer will be the Data Controller (or a Controller under the GDPR) of the Personal Data.

4. Obligations Of The Customer

4.1. Customer shall warrant that the instructions that it provides to OpenChannel pursuant to this DPP comply with Data Protection Laws and Regulations.

4.2. Subject to the OpenChannel complying with its obligation under Section 5.2 below, the Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and Regulations and all communications from Supervisory Authorities that relate to the Personal Data, in accordance with Data Protection Laws and Regulations. To the extent such requests or communications require OpenChannel’s assistance, the Customer shall immediately notify OpenChannel of the Data Subject or Supervisory Authority request. In the event that any such request is made directly to OpenChannel, it will forward such request to the Customer.

5. Obligations Of The Processor

5.1. OpenChannel will Process the Personal Data on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, and in such manner as is necessary for the provision of services under the Agreement, except as required to comply with a legal obligation to which OpenChannel is subject. OpenChannel shall immediately inform the Customer if, in its opinion, the execution of an instruction could violate any applicable data protection law.

5.2. If OpenChannel receives a request from any Data Subject made under Data Protection Laws and Regulations relating to Personal Data pursuant to the Agreement, OpenChannel will provide reasonable assistance to the Customer to assist it in responding to the request. Upon enforcement of the GDPR, OpenChannel will assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, to fulfil the Customer’s and the OpenChannel’s obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR.

5.3. OpenChannel will assist the Customer, insofar as this is possible, in addressing any communications and abiding by any advice or orders from the Supervisory Authority relating to the Personal Data within the timeframe specified by the Supervisory Authority.

5.4. OpenChannel will not disclose the Personal Data to third parties except as permitted by this DPP or the Agreement, unless OpenChannel is required to disclose the Personal Data by applicable laws, in which case OpenChannel shall (to the extent permitted by law) notify the Customer in writing and liaise with the Customer before complying with such disclosure request.

5.5. OpenChannel will endeavor to treat all Personal Data as strictly confidential and will inform all of its employees, agents, and approved Sub-processors engaged in Processing the Personal Data of the confidential nature of such information.

5.6. OpenChannel will keep the Personal Data confidential and implement and maintain administrative, physical, technical and organizational safeguards for the security (including protection against accidental or unlawful loss, destruction, alteration, damage, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed), confidentiality and integrity of Personal Data.

5.7. Upon enforcement of the GDPR, taking into account the nature of the Processing and the information available to OpenChannel, OpenChannel will provide reasonable assistance to the Customer in complying with its obligations under GDPR Articles 32-36 (inclusive) (which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation).

5.8. OpenChannel shall reasonably cooperate with and assist the Customer in: (a) fulfilling its legal obligations; (b) formulating a correct response; and (c) taking suitable further steps in respect to any Security Incident, Data Subject Request, or Supervisory Authority Request.

5.9. As of May 25, 2018, OpenChannel shall implement a procedure for the regular testing, inspection, assessment and evaluation of the effectiveness of the technical and organizational measures in order to ensure the security of the processing, and notify the Customer of any findings.

5.10. OpenChannel will inform the Customer if, in its opinion, the execution of an instruction relating to the processing of Personal Data pursuant hereto, could infringe any applicable Data Protection Laws and Regulations. However, the Parties agree that it is Customer’s obligation, and not OpenChannel’s, to ensure that its instructions relating to the processing of Personal Data comply with the Data Protection Laws and Regulations.

6. Contracting With Sub-Processors

6.1. Customer acknowledges, that as a Controller, they may provide a general consent to onward sub-processing by the data importer. Accordingly, Customer provides a general consent to OpenChannel to engage onward sub-processors, subject to compliance with the requirements below.

6.2. OpenChannel will make available to Customer a list of all OpenChannel subcontractors (“Sub-processors”) who are involved in processing or sub-processing Personal Data in connection with the provision of the Services, together with a description of the nature of services provided by each Sub-processor (“Sub-processor List”).

6.3. OpenChannel shall ensure that the Sub-processor is bound to the same data protection obligations of OpenChannel under this DPP and the Data Protection Laws and Regulations.

6.5. OpenChannel will provide copies of any Sub-processor agreements to Customer pursuant only upon reasonable request by Customer. Such agreements may be redacted by OpenChannel to remove any commercial information and any information unrelated to the processing of Personal Data conducted by the Sub-processor.

6.6. If Customer has a reasonable basis to object to OpenChannel’s use of a Sub-processor, Customer will notify OpenChannel promptly in writing within 15 days. OpenChannel will use reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer.

7. Security Incident Management

7.1. OpenChannel shall, to the extent permitted by law, notify Customer without undue delay after becoming aware of any Security Incident.

7.2. OpenChannel’s notification of a Security Incident to the Customer to the extent known should include: (a) the nature of the incident; (b) the date and time upon which the incident took place and was discovered; (c) the number of data subjects affected by the incident; (d) the categories of Personal Data involved; (e) the measures – such as encryption, or other technical or organizational measures – that were taken to address the incident, including measures to mitigate the possible adverse effects; (f) whether such proposed measures would result in a disproportionate effort given the nature of the incident; (g) a description of the likely consequences of the incident. The Customer alone may notify any public authority.

8. Liability and Indemnity

8.1. Any claims brought under this DPP will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Agreement.

9. List of Approved Sub-Processors

9.1. Below is the list of approved sub-processors to be updated as required by OpenChannel

Sub Processor

Services Provided

Amazon Web Services

Cloud hosting for OpenChannel SaaS platform

WP Engine

Cloud hosting for Customer marketplace templates

CleanTalk

Protecting submission forms from spam

Stripe

Payment processing

Mongo Cloud Services

Database and backups

Twilio

To enable 2 way chat

Algolia

To enable text based search

Mandrill (MailChimp)

To send email notifications

10. Changes to this Data Processing Policy

10.1. OpenChannel reserves the right to modify this Data Processing Policy at anytime without notice to reflect changes in legal or regulatory obligations or changes in the manner in which we deal with data processing. The Data Processing Policy posted at any time or from time to time via this website shall be deemed to be the Data Processing Policy then in effect.

11. Correcting or Updating Your Information

11.1.You can help us maintain the accuracy of your personal information by notifying us of any changes to this information. You may contact OpenChannel to request access to or correction or update of your personal information using the contact information provided in the “Contact Us” section of this Data Processing Policy.

CONTACTING OPENCHANNEL

In the event that you have any questions about OpenChannel’s Data Processing Policy or if you have reason to believe that OpenChannel may have failed to adhere to this Policy, you may contact us at:

E-mail: info@openchannel.io

Attention: “Re: Data Processing Policy”