Terms of Service

Updated November 25, 2024

This Merchant Agreement (this "Agreement") is a binding agreement between you ("Merchant," "you," or "your") and Cauldron Technologies, LLC, a Delaware limited liability company (“Cauldron,”"we," or "us"). This Agreement governs your access to and use of our Services (defined below).

THIS AGREEMENT TAKES EFFECT WHEN YOU REGISTER AN ACCOUNT WITH US AND CLICK THE "I ACCEPT" BUTTON. BY CLICKING "I ACCEPT" YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT AND REPRESENT AND WARRANT THAT

  1. YOU ARE EIGHTEEN (18) YEARS OF AGE OR OLDER,

  2. RESIDE IN THE UNITED STATES OR ANY OF ITS TERRITORIES OR POSSESSIONS, AND

  3. YOU HAVE THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS AGREEMENT AND, IF ENTERING INTO THIS AGREEMENT FOR AN ORGANIZATION, THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ORGANIZATION; AND

  4. ACCEPT THIS AGREEMENT AND AGREE THAT YOU ARE LEGALLY BOUND BY ITS TERMS.

THIS AGREEMENT IS AN INTEGRAL PART OF THE WEBSITE TERMS OF USE THAT APPLY GENERALLY TO THE USE OF OUR WEBSITE, AND OUR PRIVACY POLICY. IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT CREATE AN ACCOUNT WITH US. IF YOU DO NOT ACCEPT THESE TERMS, YOU MAY NOT ACCESS OR USE OUR SERVICES.

  1. DEFINITIONS

  1. "Aggregated Data" means information that is de-identified, or that is stripped of any information that could directly identify an individual, and that is combined with other de-identified data, and therefore, does not constitute Personal Information (defined below).

  2. "Application" means Cauldron’s software, user interfaces, on-line help, Cauldron Dashboard, and associated Documentation, access to which is provided by Cauldron to Merchant for use by Consumers for tracking loyalty programs offered by Merchant Stores.

  3.  "Authorized User" means Merchant and Merchant's employees, consultants, contractors, and agents (i) who are authorized by Merchant to access and use the Services under the rights granted to Merchant pursuant to this Agreement and (ii) for whom access to the Services has been purchased hereunder.

  4. "Cauldron Dashboard" means the user interface that Cauldron provides to Merchant, which Merchant may access and configure through a Subscription to offer customer loyalty programs to its Consumers who purchase Merchant’s goods and services.

  5. "Cauldron Property" means (i) the Services, the Application, the Documentation, and all Intellectual Property Rights therein; (ii) the information or data provided by Cauldron to Merchant as part of the Services;  (iii).the information and data that Cauldron collects directly from Consumers; (iv) the data and information input by a Consumer into the Application for the purpose of using the Application, and any data collected and processed by or for the Consumer, which is generated by the Application as part of the Consumerʼs use of the Application; (v) metadata arising from Merchantʼs use of the Services and used by Cauldron to provide and improve the Services; (vi) Feedback from Merchant or Authorized Users to Cauldron relating to the Services (all of the above excluding Personal Data of Merchants and Consumers); and Aggregated Data.

  6. Consumer” means any individual who visits or transacts business with a Merchant Store and the Application.

  7. "Data Subject" means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.

  8. "Documentation" means Cauldron's user manuals, handbooks, and guides relating to the Services provided by Cauldron to Merchant upon access to the Services.  

  9. "Intellectual Property Rights" means intellectual property rights arising anywhere in the world: including without limitation, rights in patents, trademarks, service marks, trade names, other trade-identifying symbols and inventions, copyrights, design rights, database rights, rights in know-how, and trade secrets; whether registered or unregistered, and including applications for the grant of any such rights;

  10. "Merchant Content" means the text, images, and information that Merchant inputs into the Cauldron Dashboard.

  11. "Merchant Data" means the information (including Personal Information) relating to a Merchant or Merchant Store, including business, financial and product information and any Customer Data, provided by Shopify to Cauldron.

  12. "Merchant Store" means the Merchant's commercial website or online presence hosted by Shopify, including their online store and point of sale, which may include more than one Merchant Store.

  13. "Processing," "processes," or "process" means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process, and includes, but is not limited to obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data , organizing, amending, retrieving, using, disclosing, erasing, destroying, and transferring Personal Information to third parties.

  14. Personal Information” means any information that Cauldron processes through the Services that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Cauldron's possession or control or that Cauldron is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information. Personal Information includes but is not limited to a person’s (a) name, (b) email address, (c) age, (d), birthdate, (e) shopping information, and/or (f) shipping or physical address.  

  15. "Privacy and Data Protection Requirements" means all applicable federal and state laws and regulations relating to the Processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. 

  16. "Service(s)" means the access to and use of:  (i) the Application or Cauldron’s hosted software-as-a-service; and (ii) Cauldron Data, and any associated websites, products or services offered by Cauldron, in accordance with this Agreement.

  17. "Shopify" means Shopify Inc. and its affiliates.

  18. "Shopify Payments" means the entity, Shopify Payments (USA) Inc., which is Cauldron’s payment processor for monthly Subscription Fees.  

  19. "Software" means Cauldron’s computer programs (in object and source code form) that run the Application and software-as-a-service provided by Cauldron to Merchant as part of the Services;

  20. "Subscription" means Merchant’s monthly access to the Services.  

  21. "Subscription Fees" means the monthly fees and the usage fees payable by the Merchant to Cauldron for access to the Services in accordance with the selected Subscription. 

  22. "Third-Party Products" means any products, content, services, information, websites, or other materials that are owned by third parties and are incorporated into or accessible through the Services.

  1. ACCESS AND USE OF SERVICES

  1. Provision of Access. Subject to and conditioned on your payment of the Subscription Fees and compliance with all other terms and conditions of this Agreement, Cauldron hereby grants you a revocable, non-exclusive, non-transferable, non-sublicensable, limited right to access and use the Application, which is hosted by Cauldron, through a consent screen provided by Shopify, during the Term, solely for your internal business operations by Authorized Users and Consumers in accordance with the terms and conditions herein. secure.You shall create an account with Cauldron by using an email and creating a password, which you shall keep confidential.

  2. Documentation License. Subject to the terms and conditions contained in this Agreement, Cauldron hereby grants you a non-exclusive, non-sublicensable, non-transferable license for Authorized Users to use the Documentation during the Term solely for your internal business purposes in connection with use of the Services.

  3. Use Restrictions. You shall not, and shall not permit any Authorized Users to, use the Services, any software component of the Services, or Documentation for any purposes beyond the scope of the access granted in this Agreement. You shall not at any time, directly or indirectly, and shall not permit any Authorized Users to:

    1. copy, modify, create derivative works, or otherwise modify the Services, any software component of the Services, or Documentation, in whole or in part; 

    2. rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Documentation except as expressly permitted under this Agreement; 

    3. reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to the source code, object code or underlying structure, ideas, algorithms, or any software component of the Services, in whole or in part; 

    4. access the Services in order to develop a competing product or service; 

    5. use the Services to provide a service for others;

    6. use the Services to operate more or different type of applications than permitted under the applicable Subscription;  

    7. remove any proprietary notices from the Services or Documentation; 

    8. use a computer or computer network to cause physical injury to the property of another;

    9. use the Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates the CAN-SPAM Act or any applicable law, regulation, or rule; 

    10. disable, hack or otherwise interfere with any security, digital signing, digital rights management, verification or authentication mechanisms implemented in or by the Services; 

    11. include, send, store or run software viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or programs from the Services; 

    12. cause a computer to malfunction, regardless of how long the malfunction persists; 

    13. alter, disable, or erase any computer data, computer programs or computer software without authorization; 

    14. interfere with, disrupt or undermine the security or the operation of the Services or our website; or 

    15. interfere with, disrupt or undermine anyone's use or enjoyment of the Services or our website.

  4. Reservation of Rights. Cauldron reserves all rights not expressly granted to Merchant in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Merchant or any third party, any Intellectual Property Rights or other right, title, or interest in or to the Cauldron Property.

  5. Suspension. Notwithstanding anything to the contrary in this Agreement, Cauldron may temporarily suspend Merchant's and any other Authorized User's access to any portion or all of the Services if: (i) Cauldron reasonably determines that (A) there is a threat or attack on any of the Cauldron Property; (B) Merchant's or any other Authorized User's use of the Cauldron Property disrupts or poses a security risk to the Cauldron Property or to any other customer or vendor of Cauldron; (C) Merchant or any other Authorized User is using the Cauldron Property for fraudulent or illegal activities; (D) subject to applicable law, Merchant has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (E) Cauldron's provision of the Services to Merchant or any other Authorized User is prohibited by applicable law; (ii) any vendor of Cauldron has suspended or terminated Cauldron's access to or use of any third-party services or products required to enable Merchant to access the Services; or (iii) in accordance with Section 5 (any such suspension described in subclause (i), (ii), or (iii), a "Service Suspension"). Cauldron shall use commercially reasonable efforts to provide written notice of any Service Suspension to Merchant and to provide updates regarding resumption of access to the Services following any Service Suspension. Cauldron shall use commercially reasonable efforts to resume providing access to the Services as soon as reasonably possible after the event giving rise to the Services Suspension is cured. Cauldron will have no liability for any damage, liabilities, losses (including any loss of or profits), or any other consequences that Merchant or any other Authorized User may incur as a result of a Service Suspension.

  6. Publicity. Unless we receive written instructions from you otherwise, you hereby grant Cauldron a license to display, reproduce, and use your business’ name and logo for limited promotional and marketing purposes on our website.  If you no longer wish for us to continue to use your business’ name and logo on our website, you will need to notify us in writing by sending an email to biz@cauldronhq.com.  

  7. Shopify and Cauldron’s Responsibility for the Application.  As between Shopify and Cauldron, Cauldron is solely responsible for the Application: (ii) Shopify is not liable for any fault in the Application or any harm that may result from its installation or use; (iii) except where expressly stated by Shopify, Shopify cannot provide assistance with the installation or use of the Application; and (iv) Cauldron is solely responsible for any liability which may arise from a Merchant's access to or use of the Application, including: (A) the development, use, marketing or distribution of or access to the Application, including support of the Application; or (B) Cauldron's access, use, distribution or storage of Merchant Data.

  1. USE OF PERSONAL INFORMATION, MERCHANT DATA, AND CAULDRON PROPERTY

  1. Personal Information. Cauldron shall process Personal Information only for the purposes of providing the Services to the Merchant in accordance with Cauldron’s Privacy Policy and the Data Processing Addendum attached as Exhibit A hereto.

  2. Merchant Data.  Merchant Data is owned by Shopify and Cauldron shall process  Merchant Data only for the purposes of providing the Services to the Merchant in accordance with Cauldron’s Privacy Policy.

  3. Data Collected by Cauldron.  Merchant authorizes Cauldron to collect, use and process, and provide to Shopify, data that is provided by Merchant to Cauldron, or that is collected and processed by or for the Merchant, or is generated by the Services as part of the Merchant’s use of the Services, for purposes of providing and improving the Services.  Merchant authorizes Cauldron to communicate with Consumers directly or indirectly, for purposes of (i) providing the Application to Consumers, (ii) obtaining consent from Consumers to collect, use and process their information, and (iii) obtaining consent from Consumers to use certain Personal Information in De-identified form.  “De-identified form” means that Cauldron will strip the data of information that could directly identify an individual and connect the individual to the data (identifying information for example, a name, email address, physical address) and assign a random code to the data instead of the identifying information.

  1. CAULDRON APPLICATION AND MERCHANT CONTENT

  1. Access.  The Services allow Merchant, including its Authorized Users, to create, post, submit, publish, display, or transmit a selection of merchandise, information and advertisements about the Merchant’s Store (“Merchant Content”) through the Application.  All Merchant Content must comply with the Content Standards set out in this Agreement.  Merchant acknowledges that any Merchant Content submitted to the Services for publication and display on the Cauldron Application will be considered non-confidential and non-proprietary. By providing any Merchant Content on the Application, Merchant hereby grants Cauldron and its licensees, successors, and assigns the right to use, reproduce, modify, perform, display, distribute, and otherwise disclose to third parties Merchant Content for any purpose. 

  2. Merchant Representation and Warranties.  Merchant represents and warrants that: 

    1. Merchant owns or controls all rights in and to the Merchant Content and has the right to grant the license granted above to Cauldron and its licensees, successors, and assigns.

    2. All of the Merchant Content does and will comply with this Agreement.  

    3. Merchant is responsible for any Merchant Content submitted or contributed to the Services for display on the Cauldron Application, and that the Merchant, not the Cauldron, have full responsibility for such content, including its legality, reliability, accuracy, and appropriateness.

    4. Cauldron will not be responsible or liable to any third party for the content or accuracy of any Merchant Content posted by Merchant. 

  3. Cauldrons Rights.  Cauldron has the right and sole discretion to:

    1. Remove or refuse to post any Merchant Content for any or no reason.

    2. Take any action with respect to any Merchant Content that Cauldron deems necessary or appropriate, including if Cauldron believes that such Merchant Content violates this Agreement, including the Content Standards (defined below), infringes any Intellectual Property Right or other right of any person or entity, threatens the personal safety of users of the Services, Cauldron Application, or the public, or could create liability for the CauldronCauldron.

    3. Disclose Merchant’s identity or other information about the Merchant to any third party who claims that material posted by you violates their rights, including their iIntellectual pProperty rRights or their right to privacy.

    4. Take appropriate legal action, including without limitation, referral to law enforcement, for any illegal or unauthorized use of the Services.

  4. Compliance.  Without limiting the foregoing, Cauldron has the right to cooperate fully with any law enforcement authorities or court order requesting or directing Cauldron to disclose the identity or other information of anyone posting any materials on or through the Services. CUSTOMER HEREBY WAIVES AND HOLD HARMLESS THE PROVIDER FROM ANY CLAIMS RESULTING FROM ANY ACTION TAKEN BY THE COMPANY DURING, OR TAKEN AS A CONSEQUENCE OF, INVESTIGATIONS BY EITHER THE COMPANY OR LAW ENFORCEMENT AUTHORITIES.

  5. Review.  Cauldron cannot review all material before it is posted on the Application and cannot ensure prompt removal of objectionable material after it has been posted. Accordingly, Cauldron assumes no liability for any action or inaction regarding transmissions, communications, or content provided by the Merchant or its Authorized Users.  Cauldron has no liability or responsibility to anyone for performance or nonperformance of the activities described in this section.

  6. Content Standards.  The content standards below ("Content Standards") apply to any and all Merchant Content. Merchant Content must in their entirety comply with all applicable federal, state, local, and international laws and regulations. Without limiting the foregoing, Merchant Content must not:

    1. Contain any material that is defamatory, obscene, indecent, abusive, offensive, harassing, violent, hateful, inflammatory, or otherwise objectionable.

    2. Promote or sell sexually explicit or pornographic material, escort services, adult entertainment, online dating services.

    3. Contain or promote any violence, or discrimination based on race, sex, religion, nationality, disability, sexual orientation, or age.

    4. Promote or sell pharmaceutical products, work-at-home scams, gambling services, multi-level marketing, affiliate marketing, credit repair services, social media “likes,” cryptocurrencies, virtual currencies, digital assets.

    5. Infringe any patent, trademark, trade secret, copyright, or other intellectual property or other rights of any other person.

    6. Violate the legal rights (including the rights of publicity and privacy) of others or contain any material that could give rise to any civil or criminal liability under applicable laws or regulations or that otherwise may be in conflict with this Agreement.  

    7. Be likely to deceive any person.

    8. Promote any illegal activity, or advocate, promote, or assist any unlawful act.

    9. Cause annoyance, inconvenience, or needless anxiety or be likely to upset, embarrass, alarm, or annoy any other person.

    10. Impersonate any person or misrepresent your identity or affiliation with any person or organization.

    11. Give the impression that they emanate from or are endorsed by us or any other person or entity, if this is not the case.

  7. Copyright and Trademark Infringement.  All Merchant Content is subject to the Cauldron’s Copyright and Trademark Policy, which can be found at https://cauldronhq.com/legal/tou.  Upon receipt of a complaint in accordance with Cauldron’s Copyright and Trademark Policy, Cauldron reserves the right to remove any and all allegedly infringing Merchant Content.  If Merchant deems the removal of its Merchant Content was by mistake or misidentification, Merchant will send a counter-notification to Cauldron as outlined in its Copyright and Trademark Policy. 

  1. OWNERSHIP

  1. Intellectual Property Rights.  Each Party acknowledges and agrees that the other Party shall not acquire any ownership interest in any patents, trademarks, copyrights, domain names, works of authorship, trade secrets, or any other Intellectual Property Rights  owned by or licensed to the other Party under this Agreement. Each Party shall use the other Party’s Intellectual Property Rights only for the purposes of performing its obligations under this Agreement.   As between you and us, (a) we own all right, title, and interest, including all Intellectual Property Rights, in and to the Services, Feedback (defined below) and Cauldron Property; and (b) you own all right, title, and interest, including all Intellectual Property Rights, in and to Merchant Content.

  2. Feedback. Any information that Merchant provides to Cauldron (including identifying potential errors and improvements) concerning the Application or any aspects of the Service ("Feedback"), you hereby assign to Cauldron all right, title, and interest in and to the Feedback, and Cauldron is free to use, reproduce, disclose, and otherwise exploit the Feedback without attribution, payment or restriction, including to improve the Services and to create other products and services. Cauldron will treat any Feedback as non-confidential and non-proprietary. Merchant shall not submit any Feedback that it considers confidential or proprietary.

  3. Aggregated Data. Notwithstanding anything to the contrary in this Agreement, Cauldron may monitor and collect and compile data and information related to Merchant's use of the Services and Consumers’ use of the Application. Cauldron may use such data as Aggregated Data, including to compile statistical and performance information related to the provision and operation of the Services. As between Cauldron and Merchant, all right, title, and interest in Aggregated Data, and all intellectual property rights therein, belong to and are retained solely by Cauldron. You acknowledge that Cauldron may compile Aggregated Data based on Merchant Content input into the Services. You agree that Cauldron may (i) make Aggregated Data publicly available in compliance with applicable law; (ii) use Aggregated Data to the extent and in the manner permitted under applicable law; and (iii) share, sell, disclose and otherwise provide any such information it collects in de-identified form, to third parties.;   provided that such Aggregated Data do not identify Merchant or Merchant's Confidential Information. 

  4. Trademark and Copyright License Grant. Merchant hereby grants to Cauldron a non-exclusive, non-transferable, and non-sublicensable license to use, reproduce, display, or distribute any Merchant Content it submits through the Services on the Cauldron Application. 

  1. MERCHANT RESPONSIBILITIES

  1. Acceptable Use. The Services may not be used for unlawful, fraudulent, offensive, or obscene activity, as further described herein. You will comply with all terms and conditions of this Agreement, all applicable laws, rules, and regulations, and all guidelines, standards, and requirements herein.

  2. Account Use. You are responsible and liable for all uses of the Services and Documentation resulting from access provided by you, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, you are responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by you will be deemed a breach of this Agreement by you. You shall use reasonable efforts to make all Authorized Users aware of this Agreement's provisions applicable to such Authorized User's use of the Services and shall cause Authorized Users to comply with such provisions. 

  3. Merchant Content. You hereby grant to Cauldron a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Merchant Content and perform all acts with respect to the Merchant Content as may be necessary for Cauldron to provide the Services to you, including access to the Personal Information of your shoppers available through our Services.  You will retain control of Merchant Content and ensure that the Services’ use of the Merchant Content and any Authorized User's use of Merchant Content will not violate any policy or terms referenced in or incorporated into this Agreement, Privacy Policy, or any applicable law. You are solely responsible for the development, content, operation, maintenance, and use of Merchant Content.

  4. Passwords and Access Credentials. You are responsible for keeping your passwords and access credentials associated with the Services confidential and secure. You shall not share, sell or transfer your access credentials to any other person or entity. You will promptly notify us about any unauthorized access to your passwords or access credentials.

  5. Third-Party Products. The Services may permit access to Third-Party Products. For purposes of this Agreement, such Third-Party Products are subject to their own terms and conditions presented to you for acceptance within the Services by website link or otherwise. If you do not agree to abide by the applicable terms for any such Third-Party Products, then you should not install, access, or use such Third-Party Products.

  6. Data Security.  Cauldron is committed to maintaining the security of the Application, Merchant Content, and Personal Information in accordance with our Privacy Policy.  If you become aware of a security vulnerability, please promptly notify Cauldron at security@cauldronhq.com and provide us with as much information as possible about its nature and scope. Cauldron will acknowledge all reported security vulnerabilities within 24 hours of receipt and will work diligently to address any identified issues.  

  7. Not Professional Advice.  We provide the Services to assist you with the creation and management of your business’ loyalty rewards program. However, the online tools, materials, and any other information provided through or on our Platform are for informational purposes only and are not guaranteed to be correct, complete or up-to-date and are not intended to provide legal, accounting, tax, or other professional advice.  Accordingly, you acknowledge and agree that all decisions about the design, strategy and use of our Services will be yours alone. Your use of the Services shall abide by all laws that may apply to loyalty rewards programs in your jurisdiction.  You further acknowledge and agree that it is your responsibility to understand and comply with those laws.

  1. SUPPORT AND UPDATES

  1. Support. The Application shall be available 99.9% of the time seven days each week. Cauldron shall provide basic email support to Merchant during regular business hours, Monday through Friday, except on U.S. federal holidays, 9:00am-5:00pm ET at support@cauldronhq.com.

  1. Updates. Cauldron may from time to time in its sole discretion develop and provide updates to the Services, which may include upgrades, bug fixes, patches, other error corrections, and/or new features (collectively, including related documentation, "Updates"). Updates may also modify or delete in their entirety certain features and functionality. You agree that Cauldron has no obligation to provide any Updates or to continue to provide or enable any particular features or functionality on the existing Platform.  You further agree that all Updates will be deemed part of the Services and be subject to all terms and conditions of this Agreement.

  2. Maintenance and Repairs.  Your access to the Application may be occasionally suspended or restricted to allow for repairs, maintenance or the introduction of new facilities or services. Due to the nature of technical outages, we cannot guarantee notice prior to unplanned outages. Accordingly, you acknowledge and agreed that we will not be held responsible for any delay or failure to comply with our obligations under these conditions if the delay or failure arises from any cause which is beyond our reasonable control.

  1. SUBSCRIPTION

  1. Term.  Your Subscription begins as soon as your initial payment for the Subscription Fees are processed, excluding any free-trial period. Your Subscription will automatically renew each month without notice until you cancel by providing Cauldron with thirty days' written notice before the end of the then-current Subscription period (the “Term”). Subject to the terms and conditions of this Agreement, during the Term, Cauldron shall use commercially reasonable efforts to make the Services available for your use and access.   

  2. Payment Processing.  You will make your payments for your Subscription Fee through Shopify Payments.  You acknowledge and agree to all of the terms and conditions as required by Shopify Payments, as detailed in https://www.shopify.com/legal/terms-payments/us, which will be updated from time to time, in order for Cauldron to collect its Subscription Fee from you.  You will authorize Shopify Payments to store your payment method(s) and to automatically charge your payment method(s) every month until you cancel your Subscription. If your primary payment method fails, you authorize Shopify Payments to charge any other payment method in your account. If you have not provided Shopify Payments a backup payment method(s) and you fail to provide payment for your monthly Subscription Fee, or if all payment methods in your account fail, we may suspend your Subscription.  You expressly grant Cauldron the right to charge you, through Shopify Payments, for each subsequent month’s Subscription Fees until you timely cancel.

  3. Refunds.  Except when required by law, Cauldron shall be under no obligation to issue refunds under any circumstances. All Subscription Fees are non-refundable, even if your Subscription is terminated before its expiration. In the event that Cauldron determines that you are entitled to a refund of all or part of the Subscription Fee you paid, such refund shall be made through Shopify Payments.  

  4. Taxes.  Subscription Fees are exclusive of taxes, and all such taxes, direct or indirect, shall be in addition to any Subscription Fees.  If Cauldron is required to collect indirect and/or transactional taxes (including but not limited to sales tax, value-added tax, goods and services tax) under the laws of your state or country of residence, you shall be liable for payment of any such indirect tax.  Where Cauldron or you are required to collect or remit direct or indirect taxes, you may be required to self-assess said tax under the applicable laws of your country of residence.

  5. Effect of Cancellation. Upon termination of this Agreement, Merchant shall immediately discontinue use of the Cauldron Services, the Application and any Cauldron trademarks. Cauldron shall stop all use of Merchan’s trademarks and trade names and Merchant Content.  No expiration or termination of this Agreement will affect Merchant's obligation to pay all Fees that may have become due before such expiration or termination or entitle Merchant to any refund. 

  6. Overage Fees.  We have the right, but not the obligation, to monitor or remotely audit your use of the Services.  If our audit discovers that your use of the Services exceeds your Subscription, you will be responsible for any and all extra charges that apply for exceeding your usage limits of the Services.  

  7. Return of Merchant Content.  At the end of the Term, you will be entitled to receive from Cauldron the Merchant Content input into the Cauldron Dashboard if you request such return in writing to Cauldron within 48 hours following the end of the Term. The Merchant Content will be in a format determined by us. After such 48-hour period, we will have the right to delete all Merchant Content at any time and cancel your account with us.

  1. Term.  Your Subscription begins as soon as your initial payment for the Subscription Fees are processed, excluding any free-trial period. Your Subscription will automatically renew each month without notice until you cancel by providing Cauldron with written notice before the end of the then-current Subscription period (the “Term”). Subject to the terms and conditions of this Agreement, during the Term, Cauldron shall use commercially reasonable efforts to make the Services available for your use and access.   

  2. Payment Processing.  You will make your payments for your Subscription Fee through Shopify Payments.  You acknowledge and agree to all of the terms and conditions as required by Shopify Payments, as detailed in https://www.shopify.com/legal/terms-payments/us, which will be updated from time to time, in order for Cauldron to collect its Subscription Fee from you.  You will authorize Shopify Payments to store your payment method(s) and to automatically charge your payment method(s) every month until you cancel your Subscription. If your primary payment method fails, you authorize Shopify Payments to charge any other payment method in your account. If you have not provided Shopify Payments a backup payment method(s) and you fail to provide payment for your monthly Subscription Fee, or if all payment methods in your account fail, we may suspend your Subscription.  You expressly grant Cauldron the right to charge you, through Shopify Payments, for each subsequent month’s Subscription Fees until you timely cancel.

  3. Refunds.  Except when required by law, Cauldron shall be under no obligation to issue refunds under any circumstances. All Subscription Fees are non-refundable, even if your Subscription is terminated before its expiration. In the event that Cauldron determines that you are entitled to a refund of all or part of the Subscription Fee you paid, such refund shall be made through Shopify Payments.  

  4. Taxes.  Subscription Fees are exclusive of taxes, and all such taxes, direct or indirect, shall be in addition to any Subscription Fees.  If Cauldron is required to collect indirect and/or transactional taxes (including but not limited to sales tax, value-added tax, goods and services tax) under the laws of your state or country of residence, you shall be liable for payment of any such indirect tax.  Where Cauldron or you are required to collect or remit direct or indirect taxes, you may be required to self-assess said tax under the applicable laws of your country of residence.

  5. Effect of Cancellation. Upon termination of this Agreement, Merchant shall immediately discontinue use of the Cauldron Services, the Application and any Cauldron trademarks. Cauldron shall stop all use of Merchan’s trademarks and trade names and Merchant Content.  No expiration or termination of this Agreement will affect Merchant's obligation to pay all Fees that may have become due before such expiration or termination or entitle Merchant to any refund. 

  6. Overage Fees.  We have the right, but not the obligation, to monitor or remotely audit your use of the Services.  If our audit discovers that your use of the Services exceeds your Subscription, you will be responsible for any and all extra charges that apply for exceeding your usage limits of the Services.  

  7. Return of Merchant Content.  At the end of the Term, you will be entitled to receive from Cauldron the Merchant Content input into the Cauldron Dashboard if you request such return in writing to Cauldron within 48 hours following the end of the Term. The Merchant Content will be in a format determined by us. After such 48-hour period, we will have the right to delete all Merchant Content at any time and cancel your account with us.

  1. CONFIDENTIAL INFORMATION

From time to time during the Term, Cauldron and Merchant may disclose or make available to the other party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information whether or not marked, designated, or otherwise identified as "confidential" at the time of disclosure (collectively, "Confidential Information"). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain through no fault of the receiving party; (b) rightfully known to the receiving party; (c) rightfully obtained by the receiving party on a non-confidential basis from a third party; or (d) independently developed by the receiving party. The receiving party shall not disclose the disclosing party's Confidential Information to any person or entity, except to the receiving party's employees, agents, or subcontractors who have a need to know the Confidential Information for the receiving party to exercise its rights or perform its obligations hereunder and who are required to protect the Confidential Information in a manner no less stringent than required under this Agreement. Notwithstanding the foregoing, each party may disclose Confidential Information to the limited extent required (i) to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the party making the disclosure pursuant to the order shall first have given written notice to the other party and made a reasonable effort to obtain a protective order; or (ii) to establish a party's rights under this Agreement, including to make required court filings. Each party's obligations of non-disclosure with regard to Confidential Information are effective as of the date such Confidential Information is first disclosed to the receiving party and will expire five years after termination of this Agreement; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.

  1. PRIVACY POLICY

Privacy Policy. Cauldron complies with its privacy policy, available at www.cauldronhq.com/privacy ("Privacy Policy"), in providing the Services. The Privacy Policy is subject to change as described therein. By accessing, using, and providing information to or through the Services, you acknowledge that you have reviewed and accepted our Privacy Policy, and you consent to all actions taken by us with respect to your information in compliance with the then-current version of our Privacy Policy.

  1. SECURITY

Cauldron will at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage.  The Merchant will immediately notify the Cauldron if it becomes aware of any vulnerabilities which indicate that the parties should adjust their security measures.  Merchant must take reasonable precautions to preserve the integrity of Merchant Content and any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.

  1. DATA SUBJECT REQUESTS, COMPLAINTS, AND THIRD-PARTY RIGHTS

Merchant shall notify Cauldron within five (5) working days if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions within the control of Cauldron.  Cauldron will notify Merchant if it receives any other complaint, notice, or communication that directly or indirectly relates to the Merchant’s processing of Personal Information.  Each party will give the other party full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.

  1. LIMITED WARRANTY AND WARRANTY DISCLAIMER

  1. Cauldron Warranty.  Cauldron warrants that the Services will be performed in accordance with applicable industry and professional standards when accessed and used by Merchant in accordance with the Documentation. In the event the Services do not conform to the warranty, Cauldron shall, at its sole option, either reperform the Services or terminate the Services and issue the Merchant a refund of any pre-payment for the non-conforming Services. Cauldron does not make any representations or guarantees regarding uptime or availability of the Services unless specifically identified in writing. The remedies set forth herein are Merchant's sole remedies and Cauldron's sole liability under the limited warranty set forth in this Section 13(a). THE FOREGOING WARRANTY DOES NOT APPLY, AND PROVIDER STRICTLY DISCLAIMS ALL WARRANTIES, WITH RESPECT TO ANY THIRD-PARTY PRODUCTS.

  2. Merchant Warranty. You warrant that you own all right, title, and interest, including all intellectual property rights, in and to Merchant Data Content and that both the Merchant Data Content and your use of the Services are in compliance with the use restrictions in Section 2(c) and the Content Standards in Section 4(f)..

  3. DISCLAIMER. EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8(a), THE PLATFORM ARE PROVIDED "AS IS" AND PROVIDER SPECIFICALLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE PLATFORM, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET YOUR OR ANY OTHER PERSON'S OR ENTITY'S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY OF YOUR OR ANY THIRD PARTY'S SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR-FREE, OR THAT ANY ERRORS OR DEFECTS CAN OR WILL BE CORRECTED.

  1. INDEMNIFICATION

  1. Cauldron Indemnification

    1. Cauldron shall indemnify, defend, and hold Merchant harmless from and against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including attorneys' fees ("Losses"), incurred by Merchant resulting from any third-party claim, suit, action, or proceeding ("Third-Party Claim") that the Services used in accordance with this Agreement, infringes or misappropriates such third party's United States Intellectual Property Rights; provided, that Merchant promptly notifies Cauldron in writing of the Third-Party Claim, cooperates with Cauldron, and allows Cauldron sole authority to control the defense and settlement of such Third-Party Claim.

    2. If such a Third-Party Claim is made or Cauldron reasonably anticipates such a Third-Party Claim will be made, Cauldron shall, at Cauldron's sole discretion, either (A) modify or replace the Services, or component or part thereof, to make it non-infringing; or (B) obtain the right for Merchant to continue to use the Services. If Cauldron determines that neither alternative is reasonably available, Cauldron may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Merchant. This Section 14(a)(ii) sets forth your sole remedies and our sole liability and obligation for any actual, threatened, or alleged Third-Party Claims that the Services infringe, misappropriate, or otherwise violate any intellectual property rights of any third party. 

    3. This Section 14(a) will not apply to the extent that any such Third-Party Claim arises from Merchant Content or Third-Party Products.

  2. Merchant Indemnification. Merchant shall indemnify, hold harmless, and, at Cauldron's option, defend Cauldron and its officers, directors, employees, agents, affiliates, successors, and assigns from and against any and all Losses arising from or relating to any Third-Party Claim that: (i) the Merchant Data, Merchant Content, or any use of the Merchant Data or Merchant Content in accordance with this Agreement, infringes or misappropriates such third party's intellectual property rights; (ii) Merchant’s goods or services; or (iii) based on Merchant's or any Authorized User's negligence or willful misconduct or use of the Services in a manner not authorized by this Agreement; provided that Merchant may not settle any Third-Party Claim against Cauldron unless Cauldron consents to such settlement, and further provided that Cauldron will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.

  3. Limitations of Liability. IN NO EVENT WILL CAULDRON BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c) LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (e) COST OF REPLACEMENT SERVICES, IN EACH CASE REGARDLESS OF WHETHER PROVIDER WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. IN NO EVENT WILL PROVIDER'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE EXCEED THE TOTAL AMOUNTS PAID TO PROVIDER UNDER THIS AGREEMENT IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM. The exclusions and limitations in this Section 14 do not apply to the parties' obligations under Section 9.  

  1. MODIFICATIONS

We may modify this Agreement from time to time. We may modify this Agreement from time to time. Modified terms become effective (i) upon posting for contracts going forward, and, (ii) upon our notice to you and your assent for existing contracts. You will be notified of modifications through direct email communication from us. You are responsible for reviewing and becoming familiar with any such modifications. Your continued use of the Services after the effective date of the modifications will be deemed acceptance of the modified terms. Cauldron will provide at least thirty (30) days' advance notice of changes to any service level that Cauldron reasonably anticipates may result in a material reduction in quality or services to the Services.

We may modify this Agreement from time to time, and that modified terms become effective on posting, our notice to you and your assent. You will be notified of modifications through direct email communication from us. You are responsible for reviewing and becoming familiar with any such modifications. Your continued use of the Services after the effective date of the modifications will be deemed acceptance of the modified terms. Cauldron will provide at least thirty (30) days' advance notice of changes to any service level that Cauldron reasonably anticipates may result in a material reduction in quality or services to the Services.

  1. Dispute Resolution; Class Action Waiver; Arbitration

  1. Cauldron shall, through commercially reasonable efforts, address any concerns that you may have regarding the Services.  If you have any concerns or issues with the Services, you will first contact Cauldron with your concerns and issues at biz@cauldronhq.com

  2. Notice of Claim and Required Information Dispute Resolution Process. If you have any concern or dispute that we are unable to resolve (“Claim”), you agree to first try to resolve the dispute informally and in good faith by contacting us and providing a written “Notice of Claim” to the following address:

Cauldron Technologies, LLC

251 Little Falls Drive

Wilmington, DE 19808

The Notice of Claim must provide Cauldron with fair notice of your identity, a description of the nature and basis of your Claim, and the relief you are seeking, including the specific amount of any monetary relief you are seeking, and cannot be combined with a Notice of Claim for other individuals. If any dispute related to your Claim is not resolved within thirty (30) days of receipt, any resulting legal actions must be resolved through binding arbitration, including any dispute about whether arbitration is required for the dispute, subject to the exceptions set forth below. This agreement to arbitrate shall apply, without limitation, to all claims that arose or were asserted before the effective date of this Agreement. The arbitrator, and not any federal, state, or local court or agency, shall have the exclusive authority to resolve any dispute relating to the interpretation, applicability or enforceability of this Agreement or formation of this Agreement, including whether any dispute between us is subject to arbitration (i.e., the arbitrator will decide the arbitrability of any dispute) and whether all or any part of this Agreement is void or voidable. Claims related to this Agreement or Platform are permanently barred if not brought within one (1) year of the event resulting in the Claim.  

  1. No Class Actions. You may only resolve disputes with us on an individual basis, and you may not bring a claim as a plaintiff or a class member in a class, consolidated, or representative action. Nonetheless, if any portion of this class action waiver is deemed unenforceable or invalid as to a particular remedy, then that remedy (and only that remedy) must be severed from the arbitration and may be sought in court. The parties agree, however, that any adjudication of remedies not subject to arbitration shall be stayed pending the outcome of any arbitrable claims and remedies.

  2. Arbitration. You shall submit any Claims and disputes arising under this Agreement, including disputes arising from or concerning its interpretation, violation, invalidity, non-performance, or termination, to final and binding arbitration under the Rules of Arbitration of the American Arbitration Association applying Delaware law.

  1. GOVERNING LAW AND JURISDICTION

This agreement is governed by and construed in accordance with the internal laws of the State of Delaware without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Delaware. Any legal suit, action, or proceeding arising out of or related to this agreement or the rights granted hereunder will be instituted exclusively in the federal courts of the United States or the courts of the State of Delaware in each case located in the city of Wilmington, and each party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

  1. MISCELLANEOUS

This Agreement constitutes the entire agreement and understanding between the parties hereto with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter. Except as required by law, any notices to us must be sent to our email address at biz@cauldronhq.com. You hereby consent to receiving electronic communications from us. These electronic communications may include notices about applicable fees and charges, transactional information, and other information concerning or related to the Services. You agree that any notices, agreements, disclosures, or other communications that we send to you electronically will satisfy any legal communication requirements, including that such communications be in writing. The invalidity, illegality, or unenforceability of any provision herein does not affect any other provision herein or the validity, legality, or enforceability of such provision in any other jurisdiction. Any failure to act by us with respect to a breach of this Agreement by you or others does not constitute a waiver and will not limit our rights with respect to such breach or any subsequent breaches. This Agreement is personal to you and may not be assigned or transferred for any reason whatsoever without our prior written consent and any action or conduct in violation of the foregoing will be void and without effect. We expressly reserve the right to assign this Agreement and to delegate any of its obligations hereunder.

Exhibit A

Cauldron Technologies, LLC

Data Processing Addendum

This Data Processing Addendum, including its Schedules and Appendices, (“DPA”) forms part of the Merchant Agreement between Cauldron Technologies, LLC, a Delaware limited liability company (“Cauldron,” "we," or "us") and you ("Merchant," "you," or "your") for the purchase of online services from Cauldron (the “Agreement”) to document the parties’ agreement regarding the Processing of Personal Information.

Merchant enters into this DPA for itself, and, if any of its Affiliates act as Controllers of Personal Information, on behalf of those Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

In the course of providing our Services to Merchant under the Agreement, Cauldron may Process Personal Information on behalf of Merchant. The parties agree to the following terms with respect to such Processing.

  1. DEFINITIONS

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et. seq., as amended by the California Privacy Rights Act of 2020 and together with any implementing regulations.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Information and is deemed to also refer to a “business” as defined in the CCPA.

“Data Protection Laws and Regulations” means all laws and regulations of the European Union and its member states, the European Economic Area and its member states, the United Kingdom, Switzerland, the United States, Canada, New Zealand, and Australia, and their respective political subdivisions, applicable to the Processing of Personal Information. These include, but are not limited to, the following, to the extent applicable: the GDPR, UK Data Protection Law, the CCPA, the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act and related regulations (“CPA”), the Utah Consumer Privacy Act (“UCPA”), and the Connecticut Act Concerning Personal Information Privacy and Online Monitoring (the “CPDPA”).

“Data Subject” means the identified or identifiable person to whom Personal Information relates and includes “consumer” as defined in Data Protection Laws and Regulations.

“Europe” means the European Union, the European Economic Area, Switzerland, and the United Kingdom. Additional provisions applicable to transfers of Personal Information from Europe are contained in Schedule 5. In the event that Schedule 5 is removed, Merchant warrants that it shall not process Personal Information subject to the Data Protection Laws and Regulations of Europe.

GCP” means Google Cloud Platform.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Information” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Merchant Data.

“Personal Information Processing Services” means the Services listed in Schedule 2, for which Cauldron may process Personal Information.

“Process,” “Processes,” “Processed,” “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Information on behalf of the Controller, including as applicable any "service provider" as that term is defined by the CCPA.

“Standard Contractual Clauses” means the Annex to the European Commission’s implementing decision (EU) 2021/914 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union and subject to required amendments for Switzerland further described in Schedule 5.

“Sub-processor” means any Processor engaged by Cauldron or by another Sub-processor.

“Supervisory Authority” means a governmental or government-chartered regulatory body having binding legal authority over Merchant.

“UK Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 21 March 2022 at https://ico.org.uk/for-organisations/guide- to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as described in Schedule 5.

“UK Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as may be amended from time to time by the Data Protection Laws and Regulations of the United Kingdom.

  1. PROCESSING OF PERSONAL DATA

  1. Scope. The parties agree that this DPA shall apply solely to the Processing of Personal Information in connection with the Services.

  2. Roles of the Parties. The parties agree that with regard to the Processing of Personal Information, Merchant is the Controller and Cauldron is the Processor.

  3. Cauldron’s Processing of Personal Information. Cauldron shall treat Personal Information as Confidential Information and shall Process Personal Information on behalf of and only in accordance with Merchant’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Orders; (ii) Processing initiated by Merchant personnel in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Merchant (e.g., via email) where such instructions are consistent with the terms of the Agreement.

  4. Processing Restrictions. Cauldron shall not: (i) “sell” or “share” Personal Information, as such terms are defined in Data Protection Laws and Regulations; (ii) retain, use, disclose or Process Personal Information for any commercial or other purpose other than to perform the Services; or (iii) retain, use, or disclose Personal Information outside of the direct business relationship between Merchant and Cauldron. Cauldron shall comply with applicable restrictions under Data Protection Laws and Regulations on combining Personal Information with personal data that Cauldron receives from, or on behalf of, another person or persons, or that Cauldron collects from any interaction between it and any individual.

  5. Notification of Unlawful Instructions; Unauthorized Processing. Cauldron shall immediately inform Merchant if, in its opinion, an instruction by Merchant infringes any Data Protection Law or Regulation. Merchant retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information, including uses of Personal Information not authorized in this DPA.

  6. Details of the Processing. The subject matter of the Processing of Personal Information by Cauldron is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Information and categories of Data Subjects Processed under this DPA are further specified in Schedule 3 (Details of the Processing).

  7. Data Protection Impact Assessment. Upon Merchant's request, Cauldron shall reasonably assist Merchant in fulfilling Merchant's obligation under Data Protection Laws and Regulations to carry out a data protection impact assessment related to Merchant's use of the Services, to the extent Merchant does not otherwise have access to the relevant information and such information is available to Cauldron. Cauldron shall reasonably assist Merchant in its cooperation or prior consultation with a Supervisory Authority regarding any such data protection impact assessment to the extent required under applicable Data Protection Laws and Regulations.

  8. Merchant Obligations Regarding Personal Information. In its use of the Services, Merchant will comply with the Data Protection Laws and Regulations, including any applicable requirements to provide notice to and/or obtain consent from Data Subjects for Processing by Cauldron. Merchant shall ensure that its instructions for the Processing of Personal Information comply with Data Protection Laws and Regulations.

Merchant shall be solely responsible for the accuracy, quality, and legality of Personal Information and the means by which Merchant acquired Personal Information. Merchant shall ensure that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales, sharing, or other disclosures of Personal Information, to the extent applicable. Merchant shall ensure that Merchant Data does not contain any data which qualifies as personal health data protected under Article L.1111-8 of the French Public Health Code.

  1. REQUESTS FOR MERCHANT DATA

  1. Requests from Data Subjects. Cauldron shall, to the extent legally permitted, promptly notify Merchant if Cauldron receives a request from a Data Subject to exercise the Data Subject's right of access, right of rectification, right to restrict Processing, right of erasure (“right to be forgotten”), right of data portability, right to object to the Processing, or right not to be subject to automated individual decision making, each such request being a “Data Subject Request.” Taking into account the nature of the Processing, Cauldron shall assist Merchant by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Merchant’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Merchant, in its use of the Services, does not have the ability to address a Data Subject Request, Cauldron shall upon Merchant’s request use commercially reasonable efforts to assist Merchant in responding to such Data Subject Request, to the extent Cauldron is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. Where such assistance exceeds the scope of the contracted Services, and to the extent legally permitted, Merchant will be responsible for any additional costs arising from the assistance.

  2. Requests from Other Third Parties. If Cauldron receives a request from a third party other than a Data Subject (including, without limitation, a government agency) for Merchant Data, Cauldron shall where permitted by law direct the requesting party to the Merchant and promptly notify the Merchant of the request. Where Cauldron is not permitted by law to notify the Merchant of the request, Cauldron shall only respond to the requesting party if required by law to do so and will make reasonable efforts to work with the requesting party to narrow the scope of the Merchant Data request.

  1. REQUESTS FOR MERCHANT DATA

  1. Requests from Data Subjects. Cauldron shall, to the extent legally permitted, promptly notify Merchant if Cauldron receives a request from a Data Subject to exercise the Data Subject's right of access, right of rectification, right to restrict Processing, right of erasure (“right to be forgotten”), right of data portability, right to object to the Processing, or right not to be subject to automated individual decision making, each such request being a “Data Subject Request.” Taking into account the nature of the Processing, Cauldron shall assist Merchant by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Merchant’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Merchant, in its use of the Services, does not have the ability to address a Data Subject Request, Cauldron shall upon Merchant’s request use commercially reasonable efforts to assist Merchant in responding to such Data Subject Request, to the extent Cauldron is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. Where such assistance exceeds the scope of the contracted Services, and to the extent legally permitted, Merchant will be responsible for any additional costs arising from the assistance.

  2. Requests from Other Third Parties. If Cauldron receives a request from a third party other than a Data Subject (including, without limitation, a government agency) for Merchant Data, Cauldron shall where permitted by law direct the requesting party to the Merchant and promptly notify the Merchant of the request. Where Cauldron is not permitted by law to notify the Merchant of the request, Cauldron shall only respond to the requesting party if required by law to do so and will make reasonable efforts to work with the requesting party to narrow the scope of the Merchant Data request.

  1. CAULDRON PERSONNEL

  1. Confidentiality. Cauldron shall ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Cauldron shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

  2. Reliability. Cauldron shall take commercially reasonable steps to ensure the reliability of any Cauldron personnel engaged in the Processing of Personal Information.

  3. Limitation of Access. Cauldron shall ensure that Cauldron’s access to Personal Information is limited to those personnel who require such access to perform the Services in accordance with the Agreement.

  4. Data Protection Officer. Cauldron will appoint a data protection officer where such appointment is required by Data Protection Laws and Regulations. The appointed person may be reached at dpo@cauldronhq.com.

  1. SUB-PROCESSORS

  1. Appointment of Sub-processors. Merchant grants Cauldron a general authorization to appoint third- party Sub-processors in connection with the Services, in accordance with the procedures outlined in this DPA. Cauldron or a Cauldron Affiliate has entered into a written agreement with each Sub- processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Merchant Data, to the extent applicable to the services provided by such Sub-processor.

  2. Current Sub-processors and Notification of New Sub-processors. A list of Sub-processors for the Services, as of the date this DPA is executed, is attached in Schedule 1. Cauldron shall notify Merchant in writing of any new Sub-processor before authorizing such new Sub-processor to Process Personal Information.

  3. Objection Right for New Sub-processors. Merchant may object to Cauldron’s use of a new Sub- processor by notifying Cauldron in writing within 30 days after receipt of a notice described in the preceding paragraph. If Merchant objects to a new Sub-processor as permitted in the preceding sentence, Cauldron will use commercially reasonable efforts to make available to Merchant a change in the Services or recommend a change to Merchant’s configuration or use of the Services, to avoid Processing of Personal Information by the objected-to new Sub-processor without unreasonably burdening Merchant. If Cauldron is unable to make available such change in the SaaS Service, or to recommend such a change to Merchant’s configuration or use of the Services that is satisfactory to Merchant, within a reasonable period of time (which shall in no event exceed 30 days), Merchant may terminate the applicable Order Form(s) by providing written notice to Cauldron. In such event, Cauldron will refund to Merchant any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination, without imposing a penalty for such termination on Merchant.

  4. Liability for Sub-Processors. To the extent required under Data Protection Laws and Regulations, Cauldron shall be liable for the acts and omissions of its Sub-processors to the same extent Cauldron would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

  1. SECURITY

  1. Controls for the Protection of Merchant Data. Cauldron shall maintain appropriate physical, technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Merchant Data), confidentiality and integrity of Merchant Data, including Personal Information, in accordance with Schedule 4 (Cauldron Security Controls). Cauldron will not materially decrease the overall security of the Services during a subscription term.

  1. MERCHANT DATA INCIDENT MANAGEMENT AND NOTIFICATION

  1. Merchant Data Incident.  Cauldron maintains security incident management policies and procedures and shall notify Merchant without undue delay after becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Merchant Data, including Personal Information, transmitted, stored or otherwise Processed by Cauldron or its Sub-processors of which Cauldron becomes aware (a “Merchant Data Incident”). Cauldron shall make reasonable endeavors to identify the cause of such Merchant Data Incident and take steps as Cauldron deems necessary and reasonable to remediate the cause of such Merchant Data Incident to the extent the remediation is within Cauldron’s reasonable control. The obligations herein shall not apply to incidents that are caused by Merchant or its personnel.

  2. Third Party Notification.  Cauldron will not inform any third party of a Merchant Data Incident without first obtaining the Merchant's prior written consent, except when law or regulation requires it. Cauldron agrees that the Merchant has the sole right to determine:

    1. whether to provide notice of the Merchant Data Incident to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Merchant's discretion, including the contents and delivery method of the notice; and

    2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

  3. Expenses.  Cauldron will cover all reasonable expenses associated with the performance of the obligations under Section 7(a) and Section 9(b), unless the matter arose from the Merchant's specific instructions, negligence, willful default, or breach of this Agreement, in which case the Merchant will cover all reasonable expenses. Cauldron will also reimburse the Merchant for actual reasonable expenses the Merchant incurs when responding to and mitigating damages, to the extent that Cauldron caused a Merchant Data Incident.

  1. RETURN AND DELETION OF MERCHANT DATA

  1. Cauldron shall return Merchant Data to Merchant and, to the extent allowed by applicable law, delete Merchant Data in accordance with the procedures in the Agreement.

  1. AUDIT

  1. Upon Merchant’s reasonable request, and subject to the confidentiality obligations in the Agreement, Cauldron shall make available to Merchant (or Merchant’s third-party auditor and that has signed a nondisclosure agreement reasonably acceptable to Cauldron) information necessary to demonstrate Cauldron’s compliance with the obligations set forth in this DPA and its obligations as a Processor under Data Protection Laws and Regulations in the form of Cauldron’s completed standardized security questionnaires, third-party certifications and audit reports. Following any notice by Cauldron to Merchant of an actual or reasonably suspected unauthorized disclosure of Personal Information, upon Merchant’s reasonable belief that Cauldron is in breach of its Personal Information protection obligations under this DPA, or if such audit is required by Merchant’s Supervisory Authority, Merchant may contact Cauldron to request an audit of the procedures relevant to the protection of Personal Information. Any such audit shall be conducted remotely, except Merchant and/or its Supervisory Authority may conduct an on-site audit at Cauldron’s premises only if so required by the Data Protection Laws and Regulations. Any such request shall occur no more than once annually, except in the event of an actual or reasonably suspected unauthorized access to Personal Information. Before the commencement of any audit, Merchant and Cauldron shall mutually agree upon the scope, timing, and duration of the audit. In no event will any audit of a Sub-processor, beyond a review of reports, certifications and documentation made available by the Sub-processor, be permitted without the Sub-processor’s consent.

  1. AFFILIATES

  1. Contractual Relationship. The Merchant entity signing this DPA does so for itself and, as applicable, in the name and on behalf of its Affiliates, thereby establishing a separate DPA between Cauldron and each such Affiliate subject to the provisions of the Agreement, this Clause 10, and Clause 11 below. Each such Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, such Affiliates are not and do not become parties to the Agreement, and are only parties to this DPA. All access to and use of the Services by such Affiliates must comply with the Agreement, and any breach of the Agreement by an Affiliate shall be deemed a breach by Merchant.

  2. Communication. The Merchant entity signing this DPA shall remain responsible for coordinating all communication with Cauldron under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates.

  3. Rights of Merchant Affiliates. Where a Merchant Affiliate becomes a party to this DPA with Cauldron, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

    1. Except where applicable Data Protection Laws and Regulations require the Merchant Affiliate to exercise a right or seek any remedy under this DPA against Cauldron directly, the parties agree that:

      (i) solely the Merchant entity that signed this DPA shall exercise any such right or seek any such remedy on behalf of the Merchant Affiliate, and (ii) the Merchant entity signing this DPA shall exercise any such rights under this DPA not separately for each Affiliate individually but in a combined manner for itself and all of its Affiliates together (as set forth, for example, in Clause 10.3.2 below).

    2. The Merchant entity signing this DPA shall, when carrying out a permitted audit of the procedures relevant to the protection of Personal Information, take all reasonable measures to limit any impact on Cauldron and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Affiliates in one single audit.


  1. LIMITATION OF LIABILITY

  1. To the extent permitted by Data Protection Laws and Regulations, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Limitations of Liability” clauses, and such other clauses that exclude or limit liability, of the Agreement, and any reference in such clauses to the liability of a party means the aggregate liability of that party and all of its Affiliates.

  1. CHANGES TO TRANSFER MECHANISMS

  1. In the event that a current transfer mechanism relied upon by the parties for the facilitation of transfers of Personal Information to one or more countries that do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations is invalidated, amended, or replaced the parties will work in good-faith to enact such alternative transfer mechanism to enable the continued Processing of Personal Information contemplated by the Agreement. The use of such alternative transfer mechanism shall be subject to each party’s fulfilment of all legal requirements for use of such transfer mechanism.

The parties' authorized signatories have duly executed this Agreement by clicking “I Accept,” including all applicable Schedules, Annexes, and Appendices incorporated herein.

LIST OF SCHEDULES

Schedule 1: Current Sub-Processor List

Schedule 2: Services Applicable to Personal Information Schedule 3: Details of the Processing

Schedule 4: Cauldron Security Controls

Schedule 5: European Provisions

SCHEDULE 1

Current Sub-Processor List

Sub-Processor Name

Location of Processor

Nature of Processing

Duration of Processing

Location of Processing

Google Cloud Platform

USA

Application hosting and data storage

For the term of the Agreement.

United States

Hubspot

USA

Marketing automation

For the term of the Agreement.

United States

Mailchimp

USA

Email delivery

For the term of the Agreement.

United States

Zapier

USA

Automation

For the term of the Agreement.

United States

Sub-Processor Name

Location of Processor

Nature of Processing

Duration of Processing

Location of Processing

Google Cloud Platform

USA

Application hosting and data storage

For the term of the Agreement.

United States

Hubspot

USA

Marketing automation

For the term of the Agreement.

United States

Mailchimp

USA

Email delivery

For the term of the Agreement.

United States

Zapier

USA

Automation

For the term of the Agreement.

United States

Sub-Processor Name

Location of Processor

Nature of Processing

Duration of Processing

Location of Processing

Google Cloud Platform

USA

Application hosting and data storage

For the term of the Agreement.

United States

Hubspot

USA

Marketing automation

For the term of the Agreement.

United States

Mailchimp

USA

Email delivery

For the term of the Agreement.

United States

Zapier

USA

Automation

For the term of the Agreement.

United States

Sub-Processor Name

Location of Processor

Nature of Processing

Duration of Processing

Location of Processing

Google Cloud Platform

USA

Application hosting and data storage

For the term of the Agreement.

United States

Hubspot

USA

Marketing automation

For the term of the Agreement.

United States

Mailchimp

USA

Email delivery

For the term of the Agreement.

United States

Zapier

USA

Automation

For the term of the Agreement.

United States

SCHEDULE 2

Services Applicable to Personal Information Processing

The access to and use of:  

  1. Cauldron’s Application or Cauldron’s hosted software-as-a-service; and

  2. Cauldron Data, and any associated websites, products or services offered by Cauldron, in accordance with the Agreement.

SCHEDULE 3

Details of the Processing

Data Exporter

Merchant:  Name submitted in registration

Main Address: Merchant Address submitted in registration

Data Importer

Full Legal Name: Cauldron Technologies, LLC

Main Address: 867 Boylston Street, Suite 500, Unit 1644, Boston, MA  02116

Contact: Privacy Officer

Contact Email: privacy@caulddronhq.com

Nature and Purpose of Processing

Cauldron will Process Personal Information as necessary to perform the Services pursuant to the Agreement and Orders, and as further instructed by Merchant in its use of the Services.

Duration of Processing

Cauldron will Process Personal Information for the duration of the Agreement, unless otherwise agreed in writing.

Retention

Cauldron will retain Personal Information in the Services for the duration of the Agreement, unless otherwise agreed in writing, subject to the maximum retention period specified in the Documentation.

Frequency of Transfer

As determined by Merchant through their use of the Services.

Transfers to Sub-processor(s)

As necessary to perform the Services pursuant to the Agreement and Orders, and as further described in Schedule 1.

Categories of Data Subjects

Merchant may submit Personal Information to the Services, the extent of which is determined and controlled by Merchant in its sole discretion, and which may include but is not limited to Personal Information relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Merchant (who are natural persons)

  • Employees or contact persons of Merchant’s prospects, customers, business partners and vendors

  • Employees, agents, advisors, freelancers of Merchant (who are natural persons)

  • Merchant’s users authorized by Merchant to use the Services

Type of Personal Information

Merchant may submit Personal Information to the Services, the extent of which is determined and controlled by Merchant in its sole discretion, and which may include but is not limited to the following categories:

Personal Information of Merchant:

  • First and last name

  • Title

  • Position

  • Employer

  • Contact information (company, email, phone, physical business address)

  • IP Address data

Personal Information of Consumers:

  • Name

  • Birthday

  • Email Address

  • Shopping History

SCHEDULE 4

Cauldron Security Controls

  1. INTRODUCTION

  1. Cauldron software-as-a-service applications (Services) were designed with security in mind. The Services are architected with a variety of security controls across multiple tiers to address a range of security risks. These security controls are subject to change; however, any changes will maintain or improve the overall security posture.

  2. The descriptions of controls below apply to the SaaS Service implementations on the Google Cloud platform (together referred to as our Cloud Service Providers, or CSPs), except as specified in the Encryption section below.

  3. GCP is a top-tier facility with several accreditations, including SOC1 - SSAE-18, SOC2, SOC3, ISO 27001, and HIPAA.

  1. WEB APPLICATION SECURITY CONTROLS

  1. Merchant Data is encrypted in transit between the Consumer and the Application and between Cauldron and the third-party data source.

  2. The Merchant’s SaaS Service administrators can provision and de-provision SaaS Service users and associated access as necessary.

  3. The Merchant’s SaaS Service administrators can access audit trails including username, action, timestamp, and source IP address fields. Audit logs can be viewed and exported by the Merchant’s SaaS Service administrator logged into the Services as well as through the Services API.

  4. Access to the Services can be restricted by source IP address.

  5. The Services allow Merchants to enable multi-factor authentication for accessing SaaS Service accounts utilizing time-based one-time passwords.

  1. ENCRYPTION

Data is encrypted at rest in GCP using AES-256 key encryption.  Encryption in transit between the Services and the third-party data source (e.g. Hubspot) utilizes HTTPS with TLS 1.2+.

  1. MONITORING AND AUDITING

  1. The Service systems and networks are monitored for security incidents, system health, network abnormalities, and availability.

  2. The Services use an intrusion detection system (IDS) to monitor network activity and alert Cauldron of suspicious behavior.

  3. The Services use web application firewalls (WAFs) for all public web services.

  4. Cauldron logs application, network, user, and operating system events to a local syslog server and a region-specific SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any anomalies are escalated as appropriate.

  5. Cauldron utilizes security information and event management (SIEM) systems providing continuous security analysis of the Services’ networks and security environment, user anomaly alerting, command and control (C&C) attack reconnaissance, automated threat detection, and reporting of indicators of compromise (IOC). All of these capabilities are administered by Cauldron’s security and operations staff.

  6. Cauldron’s incident response team monitors the security@cauldronhq.com alias and responds according to the company’s Incident Response Plan (IRP) when appropriate.

  1. DISASTER RECOVERY

  1. Cauldron uses CSP object storage to store encrypted Merchant data across multiple availability-zones.

  1. For Merchant data stored on object storage, Cauldron uses object versioning with automatic aging to support compliance with Cauldron’s disaster recovery and backup policies. For these objects, Cauldron’s systems are designed to support a recovery point objective (RPO) of 0 hours (that is, the ability to restore to any version of any object as it existed in the prior 14-day period).

  2. Any required recovery of a computer instance is accomplished by rebuilding the instance based on Cauldron’s configuration management automation.

  3. Cauldron's Disaster Recovery Plan is designed to support a 4-hour recovery time objective (RTO).

  1. VULNERABILITY MANAGEMENT

  1. Cauldron performs periodic web application vulnerability assessments, static code analysis, and external dynamic assessments as part of its continuous monitoring program to help ensure application security controls are properly applied and operating effectively.

  2. Vulnerability assessment results are incorporated into Cauldron software development lifecycle (SDLC) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into Cauldron internal ticket system for tracking through resolution.

  1. INCIDENT RESPONSE

  1. In the event of a potential security breach, Cauldron Incident Response Team will perform an assessment of the situation and develop appropriate mitigation strategies. If a potential breach is confirmed, Cauldron will immediately act to mitigate the breach and preserve forensic evidence, and will notify impacted Merchants’ primary points of contact without undue delay to brief them on the situation and provide resolution status updates.

  1. SECURE SOFTWARE DEVELOPMENT

  1. Cauldron employs secure development practices for Cauldron applications throughout the software development life cycle. 

  1. SECURE SOFTWARE DEVELOPMENT

  1. Cauldron provides native support for data subject access requests, such as the right to erasure (right to be forgotten) and anonymization, to support compliance with data privacy regulations, including the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and California Consumer Privacy Act (CCPA).

SCHEDULE 5

European Provisions

This schedule shall only apply to transfers of Personal Information (including onward transfers) from Europe that, in the absence of the application of these provisions, would cause either Merchant or Cauldron to breach applicable Data Protection Laws and Regulations.

  1. TRANSFER MECHANISM FOR DATA TRANSFERS

  1. The Standard Contractual Clauses apply to any transfers of Personal Information under this DPA from Europe to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations of such territories, to the extent such transfers are subject to such Data Protection Laws and Regulations. Cauldron enters into the Standard Contractual Clauses as data importer. The additional terms in this Schedule also apply to such data transfers.

  1. TRANSFERS SUBJECT TO THE STANDARD CONTRACTUAL CLAUSES

  1. Merchants Covered by the Standard Contractual Clauses. The Standard Contractual Clauses and the additional terms specified in this Schedule apply to:

    1. Merchant, to the extent Merchant is subject to the Data Protection Laws and Regulations of Europe and,

    2. its Authorized Affiliates. For the purpose of the Standard Contractual Clauses and this Schedule, such entities are “data exporters”.

  2. Modules. The Parties agree that where optional modules may be applied within the Standard Contractual Clauses, that only those labeled “MODULE TWO: Transfer controller to processor” shall be applied.

  3. Instructions. The instructions described in Clause 2 above are deemed to be instructions      by Merchant to process Personal Information for the purposes of Clause 8.1 of the Standard Contractual Clauses.

  4. Appointment of New Sub-processors and List of Current Sub-processors. Pursuant to OPTION 2 to Clause 9(a) of the Standard Contractual Clauses, Merchant agrees that Cauldron may engage new Sub-processors as described in Clauses 5.a, 5b, and 5.c above and that Cauldron’s Affiliates may be retained as Sub-processors, and Cauldron and Cauldron’s Affiliates may engage third-party Sub-processors in connection with the provision of the Data Processing Services. The current list of Sub-processors is attached as Schedule 1.

  5. Sub-processor Agreements. The parties agree that data transfers to Sub-processors may rely on a transfer mechanism other than the Standard Contractual Clauses (for example, binding corporate rules), and that Cauldron’s agreements with such Sub-processors may therefore not incorporate or mirror the Standard Contractual Clauses, notwithstanding anything to the contrary in clause 9(b) of the Standard Contractual Clauses. However, any such agreement with a Sub-processor shall contain data protection obligations not less protective than those in this DPA regarding protection of Merchant Data, to the extent applicable to the services provided by such Sub-processor. Copies of the Sub-processor agreements that must be provided by Cauldron to Merchant pursuant to Clause 9(c) of the Standard Contractual Clauses will be provided by Cauldron only upon the written request of Merchant and may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Cauldron beforehand.

  6. Audits and Certifications. The parties agree that the audits described in Clause 8.9 and Clause 13(b) of the Standard Contractual Clauses shall be carried out in accordance with Clause 9 above.

  7. Erasure of Data. The parties agree that the erasure or return of data contemplated by Clause 8.5 or Clause 16(d) of the Standard Contractual Clauses shall be done in accordance with Clause 8 above and any certification of deletion shall be provided by Cauldron only upon Merchant’s request.

  8. Third-Party Beneficiaries. The parties agree that based on the nature of the Services, Merchant shall provide all assistance required to allow Cauldron to meet its obligations to data subjects under Clause 3 of the Standard Contractual Clauses.

  9. Impact Assessment. In accordance with Clause 14 of the Standard Contractual Clauses the parties have conducted an analysis, in the context of the specific circumstances of the transfer, of the laws and practices of the destination country, as well as the specific supplemental contractual, organizational, and technical safeguards that apply, and, based on information reasonably known to them at the time, have determined that the laws and practices of the destination country do not prevent the parties from fulfilling each party’s obligations under the Standard Contractual Clauses.

  10. Governing Law and Forum. The parties agree, with respect to OPTION 2 to Clause 17, that in the event that the EU Member State in which the data exporter is established does not allow for third-party beneficiary rights, the Standard Contractual Clauses shall be governed by the law of Ireland. In accordance with Clause 18, disputes associated with the Standard Contractual Clauses shall be resolved by the courts specified in the Agreement, unless such court is not located in an EU Member State, in which case the forum for such disputes shall be the courts of Ireland.

  11. Interpretation. The terms of this Schedule are intended to clarify and not to modify the Standard Contractual Clauses. In the event of any conflict or inconsistency between the body of this Schedule and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

  1. PROVISIONS APPLICABLE TO THE TRANSFERS FROM SWITZERLAND

The parties agree that for purposes of the applicability of the Standard Contractual Clauses to facilitate transfers of Personal Information from Switzerland the following additional provisions shall apply: (i) Any references to Regulation (EU) 2016/679 shall be interpreted to reference the corresponding provisions of the Swiss Federal Act on Data Protection and other data protection laws of Switzerland (“Swiss Data Protection Laws”), (ii) Any references to “Member State” or “EU Member State” or “EU” shall be interpreted to reference Switzerland, and (iii) Any references to Supervisory Authority, shall interpreted to refer to the Swiss Federal Data Protection and Information Commissioner.

  1. PROVISIONS APPLICABLE TO THE TRANSFERS FROM THE UNITED KINGDOM

The parties agree that the UK Addendum applies to transfers of Personal Information governed by UK Data Protection Law and shall be deemed completed as follows (with capitalized terms not defined elsewhere having the definition set forth in the UK Addendum):

  1. Table 1: The parties, their details, and their contacts are those set forth in Schedule 3.

  2. Table 2: the "Approved EU Standard Contractual Clauses" shall be the Standard Contractual Clauses as set forth in this Schedule 5.

  3. Table 3: Annexes I(A), I(B), and II are completed as set forth in section 2(k) of this Schedule 5.

  4. Table 4: Cauldron may exercise the optional early termination right described in Section 19 of the UK Addendum.

Cauldron Rewards

Brand loyalty made easy

© 2024 Cauldron Technologies, LLC. All Rights Reserved.

Cauldron Rewards

Brand loyalty made easy

© 2024 Cauldron Technologies, LLC. All Rights Reserved.

Cauldron Rewards

Brand loyalty made easy

© 2024 Cauldron Technologies, LLC. All Rights Reserved.

Cauldron Rewards

Brand loyalty made easy

© 2024 Cauldron Technologies, LLC. All Rights Reserved.