I Want That! Logo
Start on Shopify

Legal

Customer Account Data Management

Operational policy for customer account data access, retention, export, and deletion.

DATA PROCESSING ADDENDUM

Last updated May 5, 2026

This Data Processing Addendum (together with its annexes, this “DPA”) supplements and forms part of the Software-as-a-Service Agreement between I Want That!, Inc., a Delaware corporation (“I Want That!”) and Customer for I Want That!’s provision of its Services to such Customer (the “Agreement”). This DPA refers to the I Want That! and Customer, individually, as a “Party” and, collectively, as the “Parties”. This DPA shall be effective as of the Effective Date of the Agreement and replaces and supersedes any data processing agreement entered by the Parties prior to such date

1\. DEFINITIONS

Capitalized terms used in this DPA have the meanings given below or, if not defined in this DPA, have the meanings given in the Agreement.

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder, in each case, as amended from time to time.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer Personal Data” means any Customer Data that constitutes Personal Data. Customer Data does not include Personal Data that I Want That! Processes as a Controller, such as Personal Data pertaining to I Want That!’s business contacts within Customer’s organization or to Account holders where Processed for the Purpose of administering or operating such accounts or I Want That!’s marketing activities. I Want That!’s Processing of Personal Data as a Controller is subject to the I Want That! Privacy Policy.

“Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, the CCPA and other U.S. state privacy laws, the GDPR, and the FADP, in each case, as amended from time to time.

“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.

“Data Subject Request” means the request of a Data Subject to exercise rights under Data Protection Laws in respect of Customer Personal Data pertaining to such Data Subject in I Want That!’s possession, custody, or control.

“EEA” means the European Economic Area.

“FADP” means the Swiss Federal Act on Data Protection, as amended from time to time.

“GDPR” means, as applicable,(a) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) in the European Union (“EU”) or (b) the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019\) (“UK GDPR”), in each case, including any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and as amended from time to time.

“Personal Data” means “personal data,” “personal information,” or information within the scope of similar terms defined in Data Protection Laws.

“Personal Data Breach” means a breach of I Want That!’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in I Want That!’s possession, custody, or control.

“Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destruction.

“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

“Restricted Transfer” means a transfer of Customer Personal Data to an importer located in (a) where the EU GDPR applies, any country or territory outside the EEA that does not benefit from an applicable adequacy decision from the European Commission described in Chapter 45 of the GDPR (an “EU Restricted Transfer”), (b) where the UK GDPR applies, any country or territory outside the UK that does not benefit from an applicable adequacy decision from the UK Government (a “UK Restricted Transfer”), or (c) where the FADP applies, any country outside of Switzerland that does not benefit from an adequacy determination by the Swiss Federal Council (a “Swiss Restricted Transfer”), in each case, which would be prohibited without a legal basis under Chapter V of the GDPR or the FADP, as applicable.

“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914, as populated in accordance with Annex 2 (Europe Annex).

“Subprocessor” means any third party engaged directly or indirectly by or on behalf of I Want That! to Process Customer Personal Data under I Want That!’s care, custody, or control.

“Supervisory Authority” means (a) in the context of the EEA and the EU GDPR, “supervisory authority” as defined in the EU GDPR; (b) in the context of the UK and the UK GDPR, the UK Information Commissioner’s Office; and (c) in the context of Switzerland and the FADP, the Swiss Federal Data Protection and Information Commissioner.

“UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO under Section 119A of the Data Protection Act 2018, in force from 21 March 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).

2\. SCOPE OF THIS DATA PROCESSING ADDENDUM

The Parties acknowledge and agree that Annex 1 (Data Processing Details) to this DPA describes the details of I Want That!’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing). Annex 2 (Europe Annex) and Annex 3 (California Annex), as applicable, to this DPA apply to I Want That!’s Processing of Customer Personal Data in accordance with their respective terms. The terms of this DPA apply solely with respect to I Want That!’s Processing of Customer Personal Data subject to the GDPR, the CCPA or other Data Protection Laws requiring data protection terms to be included in contracts between Customer and its Processors or Service Providers (as defined in Data Protection Laws).

3\. PROCESSING OF CUSTOMER PERSONAL DATA

I Want That! shall Process Customer Personal Data only according to Customer’s instructions or as required by applicable laws (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or EU, as applicable, to which I Want That! is subject). Customer instructs I Want That! to Process Customer Personal Data to provide the Services and as authorized by the Agreement. The Agreement and Customer’s use of the Services’ settings and features in accordance with the Agreement are the complete expression of such instructions, and Customer’s additional instructions shall be binding on I Want That! only pursuant to an amendment to this DPA signed by both parties. Where I Want That! receives an instruction from Customer that, in its reasonable opinion, infringes Data Protection Laws, I Want That! shall notify the Customer.

4\. I Want That! PERSONNEL

I Want That! shall ensure that all I Want That! personnel who access Customer Personal Data are subject to contractual or other legal duties of confidentiality with respect to such Customer Personal Data.

5\. SECURITY

The technical, organizational, and physical measures that I Want That! maintains pursuant to the Agreement to protect Customer Personal Data (the “Security Measures”) shall include the measures described in Annex 4 (Security Measures) of this DPA and any other security measures as I Want That! is required to maintain under Data Protection Laws. I Want That! may modify the Security Measures from time to time so long as the modifications do not decrease overall the protection of Customer Personal Data.

6\. DATA SUBJECT REQUESTS

Customer is solely responsible for responding to Data Subject Requests. Taking into account the nature of the Processing of Customer Personal Data, and employing appropriate technical and organizational measures, I Want That! shall provide Customer with such assistance as Customer may reasonably request in writing to enable Customer to perform its obligations under Data Protection Laws to respond to Data Subject Requests. I Want That! shall promptly forward to Customer any Data Subject Request that I Want That! receives and I Want That! shall not be obligated to respond to any Data Subject Request, but may instruct the Data Subject to submit the request to Customer.

7\. PERSONAL DATA BREACHES

I Want That! shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. I Want That!’s notification of or response to a Personal Data Breach shall not be construed as I Want That!’s acknowledgement of any fault or liability with respect to the Personal Data Breach. If Customer determines that notice of a Personal Data Breach must be given to any Supervisory Authority or other governmental authority, any Data Subject(, the public or others in a manner that directly or indirectly refers to or identifies I Want That!, where permitted by applicable laws, Customer shall notify I Want That! prior to giving such notice and in good faith consult with I Want That! regarding such notice and consider any clarifications or corrections of any such notification that I Want That! may reasonably request.

8\. SUBPROCESSING

a. Authorization; Current Subprocessors. Customer generally authorizes I Want That! to engage Subprocessors in accordance with this Section 8, including the Subprocessors listed as of the Effective Date at the following web page or such other web page as I Want That! may provide to Customers from time to time: at https://useiwantthat.com/legal/subprocessors (the “Subprocessor Page”).

b. Requirements. I Want That! shall enter into a written contract with each Subprocessor imposing on such Subprocessor data protection obligations at least as protective as those in this DPA with respect to Customer Personal Data to the extent applicable to the nature of the services such Subprocessor provides. I Want That! shall be liable for all Processing of Customer Personal Data delegated to the Subprocessor and its actions and omissions related thereto.

c. New Subprocessors. When I Want That! engages any Subprocessor not listed on the Subprocessor Page as of the Effective Date, I Want That! shall notify Customer of the engagement (including the name, location, and function of the Subprocessor) at least 30 days before such Subprocessor Processes Customer Personal Data by updating the Subprocessor Page, and if Customer has subscribed to receive notifications of updates to the Subprocessor Page through a mechanism designated by the Subprocessor Page, providing such notification. If Customer objects to such Subprocessor’s Processing of Customer Personal Data in a written notice to I Want That! on reasonable grounds relating to the protection of Personal Data, Customer and I Want That! shall work together in good faith to consider a mutually acceptable resolution to such objection. If the parties have not resolved such objection to their mutual satisfaction within a timeframe acceptable to Customer, Customer’s sole and exclusive remedy shall be to terminate the Agreement and cancel the Services no later than 90 days after Customer’s receipt of the initial notice of engagement by notifying I Want That! in writing of such termination and paying I Want That! for all amounts due and owing under the Agreement as of the date of such termination. Such termination shall take effect on the first date as of which I Want That! has received such timely notice and payment.

9\. COMPLIANCE ASSISTANCE; AUDITS

a. Compliance assistance. Taking into account the nature of the Processing and the information available to I Want That!, I Want That! shall provide such information and assistance as Customer may reasonably request to enable Customer to perform its obligations under Data Protection Laws in relation to I Want That!’s Processing of Customer Personal Data, including in relation to (i) the security of Customer Personal Data, (ii) the investigation and reporting of Personal Data Breaches, (iii) the demonstration of I Want That!’s compliance with this DPA, and (iv) the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to I Want That!’s Processing of Customer Personal Data, including those required under Articles 35 and 36 of the GDPR.

b. Information and audits. I Want That! shall cooperate with audits (including inspections) of I Want That!’s technical and organizational measures to verify compliance with Customer’s obligations under Data Protection Laws and I Want That!’s compliance with this DPA, provided that such audits shall be performed (i) at Customer’s sole cost and expense, (ii) by Customer or a qualified and independent third party auditor appointed by Customer in accordance with a recognized audit control standard or framework, (iii) subject to a non-disclosure agreement acceptable to I Want That! in respect of information made available to participants in the audit, (iv) during normal business hours, (v) no more than once in any calendar year during the term of the Agreement unless Customer is required to perform the audit under Data Protection Laws, (vi) in accordance with I Want That!’s safety, security or other relevant policies, and (vii) without unreasonably interfering with I Want That!’s business activities. Customer shall not conduct any scans or technical or operational testing of I Want That!’s applications, websites, Services, networks, or systems without I Want That!’s prior approval. Customer shall promptly provide I Want That! with a copy of any report created by an independent auditor engaged by Customer in respect of such an audit. This Section 9 shall not be construed to require I Want That! to violate a duty of confidentiality to any third party.

c. Audit reports. If the controls or measures to be assessed in the requested audit are assessed in an audit performed by a qualified and independent third-party auditor pursuant to a recognized audit control standard or framework within twelve (12) months of Customer’s audit request and I Want That! has confirmed in writing that there have been no known material changes to the controls audited and covered by such audit, Customer agrees to accept the auditor’s report regarding such audit (“Audit Report”) in lieu of requiring an audit of such controls or measures. Such Audit Report and any other information obtained by Customer in connection with an audit under this Section 9 shall constitute confidential information of I Want That!, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or performing Customer’s obligations under Data Protection Laws. I Want That! shall provide Customer with any relevant Audit Report upon Customer’s written request.

10\. RETURN AND DELETION

Upon expiration or earlier termination of the Agreement, I Want That! shall return and/or delete all Customer Personal Data in I Want That!’s care, custody, or control in accordance with Customer’s instructions as to the post-termination return and deletion of Customer Data expressed in the Agreement. Notwithstanding the foregoing, I Want That! may retain Customer Personal Data where required by law (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or European Union, as applicable), provided that I Want That! shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose and duration specified in the applicable law requiring such retention.

11\. CUSTOMER RESPONSIBILITIES

a. Security. Customer is solely responsible for its use of the Services, including (i) making appropriate use of the Services to maintain a level of security appropriate to the risk posed to Customer Data; (ii) securing the account authentication credentials, systems and devices Customer or End Users use to access the Services; and (iii) backing up Customer Data.

b. Legal basis. Customer will not instruct I Want That! to Process Customer Data in violation of Data Protection Laws. I Want That! has no obligation to monitor the compliance of Customer’s use of the Service with Data Protection Laws. Customer shall ensure that (i) there is a valid legal basis for I Want That!’s Processing of Customer Personal Data as contemplated by the Agreement for the purposes of Data Protection Laws and (ii) all notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as are required, including under Data Protection Laws, for I Want That! to Process Customer Personal Data as contemplated by the Agreement.

c. Prohibited data. Customer acknowledges that the Services are not designed to comply with, and shall ensure that Customer Personal Data does not contain any “protected health information” as defined in, the Health Insurance Portability and Accountability Act (HIPAA).

d. Additional assistance. If Customer requests cooperation, information or assistance pursuant to Sections 6, 9, or 10 of this DPA beyond I Want That!’s provision of self-service features as part of the Services that Customer can use to obtain the requested cooperation, information or assistance, then Customer shall reimburse I Want That! for any costs and expenses reasonably incurred by I Want That! in the course of responding to such requests and I Want That! reserves the right to charge its applicable fees for professional services required to fulfill such requests.

12\. PRECEDENCE; MISCELLANEOUS

In the event of any conflict or inconsistency between (a) this DPA and the Agreement, this DPA shall prevail or (b) any SCCs entered into pursuant to Annex 2 (Europe Annex) and any other provision of the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply. References to “including” mean “including, without limitation”.

Annex 1 – Data Processing Details

CUSTOMER | ‘DATA EXPORTER’ DETAILS

Name: As provided in the Agreement or applicable ordering document.

Contact details for data protection: As provided in the Agreement or applicable ordering document.

Customer Activities: As described on Customer’s website set out in the applicable ordering document.

Role: Controller (or if Customer uses the Services on behalf of a Controller, Processor).

I Want That! | ‘DATA IMPORTER’ DETAILS

Name: I Want That!, Inc.

Contact details for data protection: compliance@useiwantthat.com

I Want That! Activities: I Want That! is a software application for supporting customer generated offers across digital channels..

Role: Processor

DETAILS OF PROCESSING

Categories of Data Subjects: Customer’s personnel, customers, service providers, business partners and affiliates.

Categories of Personal Data: Contact details, communications, and other categories of personal data that users choose to submit to the Services.

Sensitive Categories of Data and associated additional restrictions/safeguards: Not applicable.

Frequency of transfer: Continuous.

Nature of the Processing: Processing operations required to provide the Services in accordance with the Agreement.

Purpose of the Processing: Provide the Services, as more particularly described in the Agreement, and carry out Customer instructions as described in this DPA.

Duration of Processing / Retention Period: Concurrent with term of the Agreement and then thereafter pursuant to Section 10 of the DPA.

Transfers to Subprocessors: As described in the Subprocessor Page (as may be updated from time to time in accordance with the DPA) for the purposes described therein.

Annex 2 – Europe Annex

This Annex 2 (Europe Annex) applies only to the extent required to establish a valid legal basis under Chapter V of the GDPR and/or the FADP (as applicable) in respect of a Restricted Transfer of Customer Personal Data from Customer to I Want That! where no other such legal basis applies.

  1. EU RESTRICTED TRANSFERS
  2. Incorporation of SCCs. In respect of any EU Restricted Transfer from Customer to I Want That!, the Parties shall comply with their respective obligations under the SCCs, which are hereby deemed to be (i) populated in accordance with this Paragraph 2 and (ii) entered into by the Parties and incorporated by reference into this DPA.
  3. Population of SCCs. In respect of any EU Restricted Transfer from Customer to I Want That!:
  4. Signature of the SCCs. Each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs and those SCCs are entered into by and between the Parties as of the later of (A) the effective date of the Agreement or (B) the date of the first EU Restricted Transfer to which they apply.
  5. Modules. With respect to the Processing of Customer Personal Data involving an EU Restricted Transfer or UK Restricted Transfer, Module 2 (Controller to Processor) of the SCCs applies where Customer is a Controller and I Want That! is a Processor and Module 3 (Processor to Processor) of the SCCs applies where Customer is a Processor (on behalf of a third-party Controller) and I Want That! is a Processor.
  6. Body of the SCCs. For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
  7. The optional ‘Docking Clause’ in Clause 7 does not apply.
  8. In Clause 9, Option 2 applies. The minimum time for advance notice of the addition or replacement of Subprocessors shall be as specified in Section 8 of the DPA and the list of Subprocessors already authorized by the data exporter shall be the list on the Subprocessor Page as of the effective date of the Agreement. Option 1 and Annex III to the Appendix to the SCCs do not apply.
  9. In Clause 11, the optional language does not apply.
  10. In Clause 13, all square brackets are removed with the text remaining.
  11. In Clause 17, Option 1 applies and the Parties agree that the SCCs shall governed by the law of Ireland in relation to any EU Restricted Transfer.
  12. For purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
  13. Annexes to the Appendix to the SCCs
  14. Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with Customer being the ‘data exporter’ and I Want That! being the ‘data importer’.
  15. Part C of Annex I to the Appendix to the SCCs is populated to provide that the competent supervisory authority shall be (1) where Customer is established in an EU Member State, the supervisory authority of that EU Member State; (2) where Customer is not established in an EU Member State but is subject to the GDPR under Article 3(2) and has appointed an EU representative under Article 27 of the GDPR, the supervisory authority of the EU Member State in which Customer’s EU representative is based; or (3) where Customer is not established in an EU Member State but is subject to the GDPR under Article 3(2) and has not appointed an EU representative under Article 27 of the GDPR, the supervisory authority of one of the EU Member States in which Data Subjects whose Personal Data is transferred in the Restricted Transfer in relation to the offering of goods or services to them, or whose behavior is monitored, are located, which supervisory authority must be confirmed in a written notice from Customer to I Want That!.
  16. Annex II to the Appendix to the SCCs is populated to incorporate the description of the Security Measures in Section 5 of the DPA and I Want That!’s obligations under Sections 6 and 7 of the DPA.
  17. Operational Clarifications
  18. When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, I Want That!’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
  19. For the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for I Want That! to notify any third-party Controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.
  20. For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
  21. The terms and conditions of Section 8 of the DPA apply in relation to I Want That!’s appointment and use of Subprocessors under the SCCs. Any approval by Customer of I Want That!’s appointment of a Subprocessor that is given expressly or deemed given pursuant to Section 8 of the DPA constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Subprocessors as required under Clause 8.8 of the SCCs.
  22. The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 9 of the DPA.
  23. Certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of the SCCs, shall be provided only upon Customer’s written request.
  24. Liability to Data Subjects. Nothing in the Agreement shall limit either party’s liability to Data Subjects under the third party beneficiary provisions of the SCCs.
  25. UK RESTRICTED TRANSFERS
  26. Incorporation of SCCs; UK Transfer Addendum. In respect of any UK Restricted Transfer from Customer to I Want That!, the Parties shall be bound by the SCCs as set forth in Paragraph 1 and such SCCs are hereby deemed to be (i) modified to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with this Paragraph 2 and (ii) entered by the Parties and incorporated by reference into this DPA. As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree that the manner of the presentation of the information included in the UK Transfer Addendum as set out in this Paragraph 2 shall not operate or be construed to reduce the Appropriate Safeguards (as defined in the Mandatory Clauses).
  27. Population of UK Transfer Addendum. In respect of any UK Restricted Transfer from Customer to I Want That!:
  28. With respect to Part 1 of the UK Transfer Addendum, as permitted by Section 17 thereof, (A) Tables 1, 2 and 3 to the UK Transfer Addendum are populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA, subject to the variations effected by the UK Mandatory Clauses described below, and (B) Table 4 to the UK Transfer Addendum is populated by the box labeled ‘Data Importer’ being ticked.
  29. With respect to Part 2 to the UK Transfer Addendum, the Parties shall be bound by the UK Mandatory Clauses thereof.
  30. SWISS RESTRICTED TRANSFERS
  31. Swiss Restricted Transfers. In respect of any Swiss Restricted Transfer from Customer to I Want That!, the Parties shall be bound by the SCCs as set forth in Paragraph 1 and such SCCs are hereby deemed to be (i) modified to address the requirements of the FADP in accordance with this Paragraph 3 and (ii) entered into by the Parties and incorporated by reference into this DPA.
  32. Population of SCCs. In respect of any Swiss Restricted Transfer from Customer to I Want That!:

1.

  1. In Clause 13, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.
  2. In Clause 17 (Option 1), the SCCs shall be governed by the laws of Switzerland.
  3. In Clause 18(b), disputes shall be resolved before the courts of Switzerland.
  4. The term “Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
  5. All references to the EU GDPR in this DPA are also deemed to refer to the FADP.
  6. DATA PRIVACY FRAMEWORK

For clarity, a transfer of Customer Personal Data from the EU, UK or Switzerland to I Want That! in the United States shall not constitute a Restricted Transfer so long as I Want That! maintains an active certification to the EU-U.S. Data Privacy Shield Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Shield Framework, as applicable (collectively, the “DPF”), and certification to the DPF remains a legal basis for transfer of Personal Data to the United States under the GDPR or FADP, as applicable.

Annex 3 – California Annex

This Annex 3 (California Annex) applies only to I Want That!’s Processing of Personal Data subject to the CCPA.

  1. Capitalized terms used in this California Annex but not defined in the Agreement shall have the meanings given in the CCPA. As used in this California Annex, “Personal Information” means Customer Personal Data that constitutes “personal information” under the CCPA.
  2. It is the Parties’ intent that I Want That! is a Service Provider with respect to its Processing of Personal Information. I Want That! (a) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 9 of the DPA to help to ensure that I Want That!’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by I Want That! that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
  3. I Want That! shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in the Agreement, or as otherwise permitted by CPPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between I Want That! and Customer; or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from I Want That!’s own interaction with any Consumer to whom such Personal Information pertains. I Want That! hereby certifies that it understands its obligations under this paragraph and shall comply with them.
  4. Giving Customer notice of Subprocessor engagements in accordance with Section 8 of the DPA shall satisfy I Want That!’s obligation under the CPRA to give notice of such engagements.
  5. The Parties acknowledge that I Want That!’s Processing of Personal Information authorized by Customer’s instructions described in this DPA is integral to the Services and the Parties’ business relationship.
  6. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.

Annex 4 – Security Measures

Measures of pseudonymization and encryption

Customer Personal Data is encrypted both in transit and at rest. In transit, I Want That! uses TLS 1.2 or greater for data encryption between I Want That! and third parties, including customers. At rest, I Want That! leverages its hosting subprocessor, Amazon Web Services (AWS) to store data, which allows for data to be encrypted at rest using RDS, EBS, and S3.

Amazon Relational Database Service (RDS) encrypts databases using keys that are managed using I Want That!’s Amazon Key Management System (KMS). RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance.

Measures designed to protect ongoing confidentiality, integrity, availability and resilience of processing systems and services

I Want That! encrypts Customer Personal Data and employs identity and access (both logical and physical) management designed to protect it.

Code changes undergo a second code review before deploying to production.

Access to Customer Personal Data is restricted and logged to prevent unauthorized data modification and corruption.

Utilizing multiple AWS Availability Zones. I Want That! has a scalable architecture, with a number of parameters that can autoscale based on demand.

Measures for restoring the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident

I Want That! performs daily backups using an automated system in AWS. Datastores are retained for 7 days. Backup data is also stored in a separate AWS availability zone allowing recovery in the event of a physical or technical incident.

I Want That! maintains a disaster recovery plan designed to facilitate an orderly and effective recovery. The plan is tested on an annual basis.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

I Want That! undergoes an annual third-party penetration testing. In addition, I Want That! undergoes an annual SOC 2 Type II audit performed by an independent third-party auditor to assess the suitability of the design and effectiveness of our controls.

Measures for user identification and authorization

I Want That! allows customers to enable multi-factor authentication. I Want That! maintains a principle of least privilege on its business systems that Process Customer Personal Data and all uses of elevated privilege are logged. I Want That! requires all production systems that Process Customer Personal Data to be accessed only with multi-factor authentication.

Measures for the protection of data during transmission

Please see "Measures of pseudonymization and encryption of personal data" above.

Measures for the protection of data during storage

Please see "Measures of pseudonymization and encryption of personal data" above.

Measures designed to protect the physical security of locations at which Customer Personal Data are processed

Customer Personal Data is processed by our hosting subprocessor, Amazon Web Services (AWS). AWS data center facilities are ISO 27001:2013 certified and undergo periodic SOC 1 and SOC 2 Type 2 report audits. Certification status and the results of audits are reviewed periodically as part of I Want That! monitoring controls and the vendor management process. Physical access to I Want That!’s offices is strictly controlled with keycards and security guards at the building entrances.

Measures for events logging

System logging and monitoring software is used to collect data from system infrastructure components and endpoints, to monitor for potential security threats and vulnerabilities, and to detect unusual system activity or service requests. I Want That! enables alerting when credentials for certain privileged systems are used.

Measures for system configuration, including default configuration

Infrastructure is virtualized with AWS. Our cloud infrastructure is deployed from Terraform templates. Changes to the system configuration and infrastructure must undergo peer review to guard against unauthorized changes.

Measures for internal IT and IT security governance and management

I Want That! has an Information Security Management System (ISMS) committee that is responsible for security and compliance efforts internally. The ISMS committee meets quarterly to review strategic initiatives, assess key risk and threats to the company, and track progress on the remediation of risks identified during the annual internal risk assessment and third-party penetration test.

The ISMS committee exercises oversight of security controls by reviewing the ISMS policy on an annual basis. In addition, the ISMS committee communicates security and compliance efforts to I Want That!’s board of directors on a quarterly basis.

Measures for data minimization

Customers determine what Customer Data will be submitted to the I Want That! Service. I Want That! will inform the Customer if certain data must be provided.

Measures designed to enhance data quality

Customers are responsible for the data they elect to include in Customer Data. Customers can correct or complete data they deemed to be inaccurate or incomplete. I Want That! implements access controls and logging for data systems designed to prevent possible data corruption.

Measures for ensuring limited data retention

Upon written request, customers can request their data to be deleted within the timeline specified in the Data Processing Addendum and in accordance with Data Protection Laws.

Measures for allowing data portability and ensuring erasure

I Want That! allows Customers to obtain Customer Personal Data in a structured, commonly used and machine-readable format. Customers can ask I Want That! to delete their Customer Data as described in the Data Processing Addendum and such requests generally will be processed within 30 days.