Addendum to Wayfair Master Platform Agreement

This Addendum forms part of the Wayfair Master Platform Agreement (the “Agreement”) between Wayfair and Supplier. Unless specified herein, all capitalized terms used in this Addendum shall have the meaning set forth in the Agreement.


Auxiliary information to complete Annex I and II of the SCCs:

ANNEX I

A.   LIST OF PARTIES

Data exporter(s):

Name: Wayfair LLC on behalf of its affiliates and subsidiaries

Address: 4 Copley Place Boston, MA 02116

Contact person’s name, position, and contact details: Judith Eckert, Data Protection Officer, dataprotectionofficer@wayfair.com

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with the underlying Wayfair Master Platform Agreement between Wayfair and Supplier.

Role (controller/processor): Controller

Data importer(s):

Supplier

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with the underlying Wayfair Master Platform Agreement between Wayfair and Supplier.

Role (controller/processor): Controller

B.   DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred:
Current, former, prospective employees

Current, former, prospective customers

2. Categories of personal data transferred:
Employees’ names and contact information, including emails, phone numbers, and communication history

Customer contacts, including addresses, emails, phone numbers, order information, and communication history

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

N/A

3. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous basis

4. Nature of the processing:
The nature of the Processing is the performance of the services pursuant to the underlying Wayfair Master Platform Agreement between Wayfair and Supplier.

5. Purpose(s) of the data transfer and further processing:
Purpose is to Process Personal Data as necessary to perform the services pursuant to the underlying Wayfair Master Platform Agreement between Wayfair and Supplier.

6. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Data Importer will Process Personal Data for the duration of the underlying Agreement. Supplier may continue to store Personal Data following the termination of the Agreement if required under applicable law or for other legitimate business purposes.

7. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Any processor engaged by Supplier will Process Personal Data as necessary in connection with the underlying Agreement between Wayfair and Supplier and only as instructed by Supplier, and will Process such Personal Data for the duration of the Agreement between Wayfair and Supplier unless otherwise permitted by Supplier in writing.

C.   COMPETENT SUPERVISORY AUTHORITY

The Irish DPC shall be the competent Supervisory Authority.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Data Importer will maintain the technical and organizational measures set forth below:

1. Supplier’s Information Security Program. Supplier shall maintain an information security program (“Information Security Program”) that: (i) protects Personal Data and ensures the confidentiality, integrity and availability of Personal Data; (ii) is aligned with an industry recognized framework; (iii) is consistent with industry standard practices; (iv) includes commercially reasonable administrative, technical and physical safeguards; and (v) complies with Data Protection Laws. At a minimum, the Information Security Program shall include: 

   1. Information Security Policy. Supplier shall maintain a comprehensive, written information security policy applicable to all authorized personnel including, but not limited to, Supplier’s employees and subcontractors that have access to or otherwise Process Personal Data (“Authorized Personnel”).   
   2. Incident Response Plan.  Supplier shall deploy and follow policies and procedures to detect, respond to, and otherwise address a Supplier Data Security Breach including procedures to (i) identify and respond to reasonably suspected or known security incidents, mitigate harmful effects of security incidents, document security incidents and their outcomes, and (ii) restore the availability or access to Personal Data in a timely manner. Upon request, Supplier shall provide Wayfair with a copy of its incident response plan. 
   3. Policy Delivery and Training.  Supplier shall ensure that all Authorized Personnel: (i) are advised of and comply with the provisions of the technical and organizational measures set forth herein and (ii) complete information security awareness and data privacy training after being onboarded, with annual refresher training.  
   4. Asset Management. Supplier shall maintain asset management policies, procedures, and controls in accordance with industry standard practices.
   5. Access Control, including System Authentication and Authorization. Supplier shall maintain access control, authentication, and authorization policies, procedures, and controls in accordance with industry standard practices. Supplier shall limit access to Personal Data to those Authorized Personnel with a need-to-know. Supplier shall monitor and log access to ensure that Authorized Personnel entitled to use a data processing system or application have access only to the Personal Data to which they have a right of access, and that the Personal Data is not read, copied, modified, or removed without authorization.
   6. Endpoint Hardening. Endpoints are hardened in accordance with industry standard practice. Workstations are protected using anti-malware and endpoint detection and  response tools, receiving regular definition and signature updates.
   7. Encryption. Supplier shall utilize industry standard encryption technologies with respect to Personal Data. Personal Data shall be encrypted in-transit and at rest.
   8. Password Management. Supplier shall maintain a password management policy that ensures strong passwords consistent with industry standard practices.
   9. Physical and Environmental Security. Supplier shall maintain physical and environmental security policies, procedures, and controls in accordance with industry standard practices. At a minimum such policies and procedures shall cover: (i) facility access and visitor protocols; and (ii) paper handling.
2. Operations Security. Supplier shall maintain operational security policies, procedures, and controls in accordance with industry standard practices. At a minimum, such policies and procedures shall cover and such controls shall include: (i) ensuring Personal Data is logically and/or physically segregated; (ii) firewalls; (iii) network intrusion detection; (iv) regularly updated anti-virus software; (v) application of security patches in accordance with industry standards; (vi) commercially reasonable vulnerability scans; (vii) monitoring for unauthorized access, within Supplier’s network and/or applications, to ensure that unauthorized persons, computers, computer programs or networks do not have access to or use of Personal Data; and (viii) an annual penetration test of Supplier’s key systems and applications carried out by an independent third-party. Upon request, Supplier shall provide a copy of the penetration test results to Wayfair. 
3. System Acquisition, Development and Maintenance. Supplier shall: (i) use separate physical and logical development/test and production environments and databases; (ii) maintain written change management and secure application/system development procedures; and (iii) maintain tools or services to identify malicious programming and code.
4. Supplier Relationships.  Where a transfer or disclosure of Personal Data to a subcontractor is to be made in accordance with the requirements set forth in the Agreement, Supplier shall (i) conduct an assessment of the subcontractor’s capabilities to appropriately safeguard Personal Data and (ii) execute a written agreement with the subcontractor that requires the subcontractor to provide appropriate level of data protection, as set forth in the Agreement and this Addendum. 

5. Business Continuity Management.  

   1. Backup. Supplier shall maintain an industry standard backup system and backup of Personal Data at a secure offsite facility to facilitate timely recovery of Personal Data in the event of a service interruption.  Supplier shall conduct regular restoration testing to ensure that Personal Data can be recovered. Supplier shall ensure that the backup system is secured and all Personal Data held on it is encrypted. 
   2. Disaster Recovery and Business Continuity Plans. Supplier shall maintain appropriate disaster recovery and business continuity plans consistent with industry best practices. 

6. Personal Data Retention, Deletion and Return.  

   1. Personal Data Retention. Supplier will store or retain any Personal Data as necessary in relation to the Agreement, for any other legitimate business purposes, or as required by law. Supplier shall maintain a data retention policy and promptly delete any Personal Data that Supplier no longer has a need to retain.
   2. Personal Data Deletion and Return. Personal Data shall be disposed of in a method that prevents any recovery of the information in accordance with industry best practices for shredding of physical documents and wiping of electronic media (e.g., NIST SP 800-88).