PRINTING United Alliance Recognized us as the Technology & Product of the Year with - Pinnacle Award 2025
This OnPrintShop Data Processing Addendum ("DPA") is incorporated as a supplement into the OnPrintShop Terms of Service (the "Terms") and applies to any additional OnPrintShop services that you (referred to as "OPS Customers") may choose to utilize. The DPA governs the specific obligations of OnPrintShop and OPS Customers related to the processing of personal data in accordance with applicable data protection laws.
Both OnPrintShop and OPS Customers (individually referred to as a "Party" and collectively as the "Parties") agree that this DPA outlines the mutual responsibilities and obligations regarding the handling of personal data in relation to the use of OnPrintShop services.
Capitalized terms used but not defined in this DPA shall have the same meaning given to them in the Terms:
1.1. Applicable Data Protection Law(s): Refers to any data protection or privacy laws applicable to OnPrintShop's processing of Your Personal Data under the Terms, including any regulations, amendments, or replacements from time to time. This includes, based on the location or residence of OPS Customers and/or Your Customers: Canada’s Personal Information Protection and Electronic Documents Act 2000 (PIPEDA); U.S. Data Protection Laws, including the California Consumer Privacy Act, amended by the California Privacy Rights Act (CCPA), Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Oregon Consumer Privacy Act, Texas Data Privacy and Security Act, Montana Consumer Data Privacy Act, and any similar comprehensive privacy laws in other U.S. states once effective; General Data Protection Regulation (EU 2016/679) (GDPR) and applicable national laws; EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018 (UK DPA); Singapore’s Personal Data Protection Act 2012 (PDPA); the Swiss Federal Data Protection Act (Swiss FDPA), and India’s Digital Personal Data Protection Act 2023 (DPDA).
1.2. Customer: Refers to any individual or entity that engages with, interacts, or purchases products or services from OnPrintShop platform and services.
1.3. Personal Data: Refers to any information or data categorized as ‘personal data,’ ‘personal information,’ or ‘personally identifiable information’ as defined under the Applicable Data Protection Laws, pertaining to the individuals who are customers of OPS Customers. This data is made accessible to OnPrintShop (or its designated third-party service providers or processors acting on its behalf) by OPS Customers, as part of their use of the Services. Such data may include, but is not limited to, customer names, contact details, transaction history, and other identifiers. For avoidance of doubt, Personal Data excludes any information that OnPrintShop processes as a Data Controller, including data obtained as a result of a direct relationship or interaction between the Customer and OnPrintShop or other OPS Customers.
1.4. Data Controller: The entity that determines the purposes and means of processing Personal Data, as defined under Applicable Data Protection Laws.
1.5.Data Processor or Service Provider: The entity that processes Personal Data on behalf of the Data Controller, in accordance with the Applicable Data Protection Laws.
1.6. Security Incident: Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. For the avoidance of doubt, any Personal Data Breach (as defined under Data Protection Laws) will comprise a Security Incident.
1.7. Process, Processes, Processing: Any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, alteration, retrieval, use, transmission, restriction, or deletion, or as defined under Applicable Data Protection Laws.
1.8. Subprocessor(s): Third-party Data Processors or Service Providers engaged by OnPrintShop to process Personal Data to deliver the Services.
2.1. Relationship of the Parties
(a) The Customer acts as the Data Controller, determining the purposes and means of processing Personal Data in accordance with Applicable Data Protection Laws.
(b) OnPrintShop acts as the Data Processor, processing Personal Data only on behalf of and in accordance with the instructions of the Customer, except where required by law.
(c) Each Party shall comply with its respective obligations under Applicable Data Protection Laws with respect to Personal Data processing.
2.2. Customer’s Obligations
The Customer shall:
a) Ensure that the collection, storage, transfer, and processing of Personal Data by the Customer and its use by OnPrintShop comply with Applicable Data Protection Laws.
b) Implement appropriate technical and organizational measures to ensure and demonstrate that Personal Data is processed in compliance with Applicable Data Protection Laws.
c) Ensure that a valid legal basis (e.g., consent, contract, legitimate interest, legal obligation) exists before transferring Personal Data to OnPrintShop.
d) Where processing is based on consent, the Customer shall be responsible for obtaining and maintaining explicit, informed, and freely given consent from Data Subjects as required by law.
e) Be solely responsible for the accuracy, completeness, and legality of Personal Data provided to OnPrintShop.
2.2. OnPrintShop’s Obligations
OnPrintShop, as the Processor, shall:
a) Process Personal Data only on documented instructions from the Customer, including with regard to transfers to third countries or international organizations, unless required to do so by Applicable Law. In such a case, OnPrintShop shall notify the Customer unless prohibited by law.
b) Inform the Customer if any instruction infringes Applicable Data Protection Laws.
c) Implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, ensuring a level of security appropriate to the risk.
d) Ensure that access to Personal Data is strictly limited to personnel who require access for the performance of their duties, and such personnel are subject to confidentiality obligations.
3.1. OnPrintShop shall process Personal Data in accordance with all Applicable Data Protection Laws, including but not limited to the General Data Protection Regulation (GDPR) (EU & UK), the California Consumer Privacy Act (CCPA), the Digital Personal Data Protection Act (DPDPA) (India), the Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), and other relevant privacy laws governing the processing of Personal Data.
3.2. The Customer warrants that it has obtained all necessary consents or established a valid legal basis for the collection, processing, and transfer of Personal Data. The Customer is solely responsible for ensuring that its processing instructions comply with Applicable Data Protection Laws and that Data Subjects are properly informed about how their Personal Data is used and transferred. OnPrintShop shall process Personal Data only as instructed by the Customer and in compliance with this DPA, unless otherwise required by law.
3.3. If the processing or transfer of Personal Data occurs outside the jurisdiction where it was originally collected, OnPrintShop shall ensure that such transfers comply with the European Economic Area (EEA), United Kingdom (UK), Switzerland, the United States (U.S.), Canada, India, and other applicable jurisdictions' laws. Where required, OnPrintShop shall implement appropriate legal mechanisms, such as Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities, Binding Corporate Rules (BCRs), Data Transfer Agreements (DTAs), or frameworks such as the EU-U.S. Data Privacy Framework (DPF) where applicable.
3.4. Additionally, OnPrintShop shall implement technical and organizational safeguards, including encryption, pseudonymization, access controls, and audit mechanisms, to ensure the security and integrity of transferred Personal Data. If the Customer requires specific data transfer mechanisms beyond the default measures, it shall notify OnPrintShop in writing.
4.1. OnPrintShop shall process Personal Data strictly for the duration of the Agreement and only for the specific purposes outlined in Annex 1 or as instructed by the Customer. Processing beyond the agreed scope shall require prior written approval from the Customer and may be subject to additional fees. OnPrintShop shall not retain, use, or disclose Personal Data for any purpose other than providing the agreed Services, except where required by law. OnPrintShop certifies that all personnel handling Personal Data understand and comply with these restrictions.
4.2. Upon termination or expiration of the Agreement, OnPrintShop shall, upon the Customer’s written request, return all Personal Data. If no request is received, OnPrintShop shall delete or anonymize all Personal Data within 120 days, unless a longer retention period is required under Applicable Data Protection Laws or necessary for regulatory compliance, dispute resolution, legal claims, or audits. However, minimal records may be retained to comply with financial, tax, and regulatory obligations, such as transactional records and security logs.
4.3. OnPrintShop may engage Sub-Processors as necessary for service delivery, ensuring they adhere to equivalent data protection obligations. Any data transfer or disclosure to Sub-Processors shall be limited to what is strictly required for service performance and shall comply with all Applicable Data Protection Laws.
5.1. OnPrintShop represents, warrants, and agrees to use Security Measures (i) to protect the availability, confidentiality, and integrity of any Personal Data processed by OnPrintShop in connection with the Terms of Service, and (ii) to protect such data from Security Incidents.
5.2. The Security Measures are subject to technical progress and development, and OnPrintShop may update or modify the Security Measures from time to time provided that such updates and modifications do not result, in OnPrintShop’s discretion, in the material degradation of the overall security of the services procured by the Customer. OnPrintShop will provide notice (in the OnPrintShop's portal for customers) of material changes in Security Measures, when possible, at least 10 days before the change will take effect.
5.3. OnPrintShop shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who Processes Personal Data. OnPrintShop shall ensure that persons authorized to Process Personal Data are under an appropriate obligation of confidentiality.
6.1. Upon becoming aware of a Security Incident, OnPrintShop will notify the Customer without undue delay and will provide reasonable information relating to the Security Incident as reasonably requested by the Customer. OnPrintShop will use reasonable endeavors to assist the Customer in mitigating, where possible, the adverse effects of any Security Incident as relates to OnPrintShop’s products and services.
6.2. OnPrintShop shall notify the Customer of a Security Incident within 72 hours of becoming aware of it. The Customer shall be responsible for notifying regulatory authorities and affected Data Subjects, unless otherwise agreed in writing. OnPrintShop shall not be liable for security breaches caused by the Customer’s failure to implement appropriate security measures on its platform.
7.1. OnPrintShop audits its compliance with data protection and information security standards on a regular basis. Such audits are conducted by OnPrintShop’s internal audit team or by third-party auditors engaged by OnPrintShop.
7.2. At the Customer’s written request, and subject to obligations of confidentiality, OnPrintShop may satisfy the requirements set out in this section by providing the Customer with OnPrintShop's Audit report, so that the Customer can reasonably verify OnPrintShop’s compliance with its obligations under this DPA. The Customer shall rely on the Audit report for validation of proper information security practices and shall not have an additional right to audit OnPrintShop's compliance unless such right is specifically granted to the Customer under applicable law. The foregoing shall not apply solely in the case of a Security Breach resulting in a material business impact to the Customer or in connection to a Supervisory Authority-specific request. In such an event, the Customer shall provide OnPrintShop with 30 days' prior written notice (insofar as possible) and the details of any 3rd party auditor on its behalf, for approval.
8.1. If OnPrintShop receives any requests from individual Data Subjects or applicable Data Protection Authorities relating to the Processing of Personal Data under the Terms of Service, including requests from individuals seeking to exercise their rights under Data Protection Law, OnPrintShop will promptly redirect the request to the Customer. OnPrintShop will not respond to such communication directly without the Customer's prior authorization, unless legally compelled to do so. The Customer is responsible for verifying that the requestor is the Data Subject whose information is being sought or its duly authorized representative. OnPrintShop bears no responsibility for information provided in good faith to the Customer in reliance on this subsection.
8.2. If OnPrintShop receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, OnPrintShop shall (to the extent legally permitted) notify the Customer upon receipt of such an order, demand, or request. It is hereby clarified, however, that if no such response is received from the Customer within three (3) business days (or otherwise any shorter period as dictated by the relevant law or authority), OnPrintShop shall be entitled to provide such information.
8.3. Notwithstanding the foregoing, OnPrintShop will cooperate with the Customer with respect to any action taken by it pursuant to such an order, demand, or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data. The Customer shall cover all costs incurred by OnPrintShop in connection with its provision of such assistance.
8.4. Upon reasonable notice, OnPrintShop shall:
a. Taking into account the nature of the Processing, provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising Data Subject's rights, at the Customer’s expense.
b. Provide reasonable assistance to the Customer in ensuring the Customer’s compliance with its obligation to carry out data protection impact assessments or prior consultations with Data Protection Authorities with respect to the processing of Personal Data, provided, however, that if such assistance entails material costs or expenses to OnPrintShop, the Parties shall first come to an agreement on the Customer reimbursing OnPrintShop for such costs and expenses.
9.1. The Customer shall be solely responsible for handling all Data Subject Requests in accordance with Applicable Data Protection Laws. This includes responding to requests related to:
a. Access – The right of Data Subjects to obtain confirmation as to whether their Personal Data is being processed and, where applicable, access to such data.
b. Rectification – The right to request correction or completion of inaccurate or incomplete Personal Data.
c. Erasure ("Right to be Forgotten") – The right to request deletion of Personal Data under circumstances permitted by law, such as when the data is no longer necessary for processing.
d. Restriction of Processing – The right to restrict processing where the accuracy of Personal Data is contested, processing is unlawful, or where the Data Subject has objected to processing.
e. Data Portability – The right to receive Personal Data in a structured, commonly used, and machine-readable format, and to transmit that data to another Controller where technically feasible.
f. Objection – The right to object to the processing of Personal Data based on legitimate interests, including direct marketing.
9.2. OnPrintShop's Obligations:
a. OnPrintShop shall provide reasonable assistance to the Customer in fulfilling Data Subject Requests, to the extent required under Applicable Data Protection Laws.
b. OnPrintShop shall not respond directly to any Data Subject Requests unless legally required to do so or explicitly authorized in writing by the Customer.
c. OnPrintShop shall implement technical and organizational measures to facilitate Data Subject Rights, including but not limited to automated data deletion mechanisms, opt-out functionalities, and customer support assistance, ensuring compliance with data protection principles.
9.3. In the event OnPrintShop receives a Data Subject Request directly, it shall promptly notify the Customer and forward the request for appropriate handling, unless prohibited by law. The Customer shall be responsible for verifying the identity of the Data Subject and ensuring that the response complies with legal requirements.
10.1. The Customer provides a general authorization to OnPrintShop to appoint Sub-Processors in accordance with this Clause.
10.2. OnPrintShop may continue to use those Sub-Processors already engaged by OnPrintShop as at the date of this DPA, as specified in Annex 2, subject to OnPrintShop, in each case as soon as practicable, meeting the obligations set out in this DPA.
10.3. OnPrintShop may engage Sub-Processors and shall notify Customers of any changes. Customers may object within 10 days of notification based on documented compliance concerns.
10.4. With respect to each Sub-Processor, OnPrintShop shall ensure that the arrangement between OnPrintShop and the Sub-Processor is governed by a written contract, including terms which offer at least the same level of protection as those set out in this DPA and meet the requirements of Data Protection Law.
10.5. OnPrintShop will be responsible for any acts, errors, or omissions by its Sub-Processors, which may cause OnPrintShop to breach any of its obligations under this DPA.
10.6. OnPrintShop will only disclose Personal Data to Sub-Processors for the specific purposes of carrying out the Services on OnPrintShop's behalf.
OnPrintShop’s total liability under this DPA shall be limited to the total fees paid for subscription excluding professional services by the Customer in the 12 months preceding the claim. Neither Party shall be liable for indirect, special, punitive, or consequential damages, including but not limited to loss of revenue, profits, or business opportunities. OnPrintShop shall not be liable for any Customer misuse of Personal Data or failure to comply with Data Protection Laws.
12.1. The Parties acknowledge that OnPrintShop acts solely as an independent Data Processor under this DPA and shall not be deemed a joint controller or agent of the Customer in any manner.
12.2. Any claims brought under this DPA will be subject to the terms and conditions of the Terms of Service, including the exclusions and limitations set forth in the Terms of Service.
12.3. In the event of a conflict between the Terms of Service (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.
12.4. OnPrintShop may change this DPA if the change is required to comply with Data Protection Law, a court order, or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of OnPrintShop as the Data Processor; (ii) expand the scope of, or remove any restrictions on, either Party’s rights to Process Personal Data; or (iii) have a material adverse impact on the Customer, as reasonably determined by OnPrintShop.
12.5. If OnPrintShop intends to change this DPA, and such change will have a material adverse impact on the Customer, as reasonably determined by OnPrintShop, then OnPrintShop will inform the Customer (in the OnPrintShop's portal for customers) at least 10 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency) before the change will take effect.
ANNEX 1:
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
1. Nature and Purpose of Processing: OnPrintShop processes Personal Data solely for the purpose of providing e-commerce services, including but not limited to order processing, payment facilitation, customer account management, and platform analytics, to the Customer under the as described in the Terms of Service. Processing activities may also include:
a. Hosting and storage of e-commerce data.
b. Customization of user experience and platform functionalities.
c. Technical support, troubleshooting, and service improvements.
d. Security monitoring, fraud detection, and compliance enforcement.
e. Marketing and analytics (subject to applicable legal requirements and Customer’s instructions).
OnPrintShop shall not process Personal Data for any purposes other than those specified in this DPA or as expressly instructed by the Customer, except where required by Applicable Data Protection Laws.
2. Categories of Personal Data Processed
The Personal Data processed by OnPrintShop may include, but is not limited to, the following categories:
| Category | Examples |
|---|---|
| Customer Data | Name, email address, phone number, billing/shipping address |
| Transaction Data | Order history, payment details, purchase records, refunds |
| User Account Data | Usernames, passwords, preferences, authentication tokens |
| Device & Technical Data | IP addresses, browser type, operating system, log files |
| Behavioral Data | Website interactions, product views, cart activity, clickstream data |
| Marketing & Communication Data | Opt-in preferences, marketing campaign engagement, feedback |
| Support & Inquiry Data | Customer support interactions, complaint records, inquiries |
Sensitive Personal Data: OnPrintShop does not intentionally collect or process sensitive personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation data). If the Customer requires processing of such data, it shall inform OnPrintShop in advance and ensure that appropriate legal safeguards are in place.
3. Categories of Data Subjects
The Personal Data processed by OnPrintShop relates to the following categories of Data Subjects:
| Category of Data Subjects | Description |
|---|---|
| End Customers | Individuals who purchase goods or services via the Customer’s e-commerce platform |
| Customer’s Employees or Representatives | Individuals authorized by the Customer to manage the e-commerce platform, including administrators, sales staff, and IT personnel |
| Website Visitors & Registered Users | Users who interact with the Customer’s e-commerce platform, including those who create accounts, subscribe to newsletters, or browse the website |
| Third-Party Vendors or Service Providers | Entities or individuals that provide support services (e.g., logistics providers, payment processors) and whose data may be processed via the platform |
3.6 Compliance with Data Protection Principles
OnPrintShop shall ensure that all Personal Data processing activities comply with the following data protection principles:
| Principle | Application |
|---|---|
| Lawfulness, Fairness & Transparency | Personal Data shall be processed lawfully, fairly, and transparently in accordance with Applicable Data Protection Laws. |
| Purpose Limitation | Personal Data shall be collected and processed only for specified, explicit, and legitimate purposes. |
| Data Minimization | Personal Data collected shall be adequate, relevant, and limited to what is necessary for the intended purpose. |
| Accuracy | Personal Data shall be accurate and kept up to date. The Customer shall ensure timely correction of any inaccuracies. |
| Storage Limitation | Personal Data shall be retained only for as long as necessary for processing purposes, in accordance with the Customer’s instructions and legal requirements. |
| Integrity & Confidentiality | Personal Data shall be protected against unauthorized access, loss, destruction, or damage using appropriate technical and organizational measures. |
| Accountability | OnPrintShop shall maintain records demonstrating compliance with data protection obligations. |
ANNEX 2
LIST OF SUB-PROCESSORS
| Entity | Processing Activity | Purpose of Processing | Location |
|---|---|---|---|
| Amazon | Provides hosting services, platform functionality, DDoS mitigation, threat detection, content delivery network (CDN) services, error logging, and performance monitoring. | To host infrastructure, protect against DDoS attacks, monitor digital threats, and facilitate accelerated content delivery. Additionally, for error monitoring of operational applications and infrastructure services. | USA, Frankfurt, or Singapore |
| Zoho | Office productivity and communication tools | To support process/project management and provide product support | USA |
| Archbee | Facilitates documentation services | To create and distribute user manuals and video tutorials. | USA |
Last updated as of: February 19, 2025
