Division of Superior Group of Companies

sgc-logo

Data Processing Addendum

This Data Processing Addendum (this “Addendum”) is effective as of the effective date of the Service Agreement (the “Addendum Effective Date”) by and between BAMKO, LLC, a Delaware limited liability company, having its registered office and principal place of business at 11620 Wilshire Blvd., Suite 360, Los Angeles, CA 90025, referred to herein as “BAMKO” .

This Addendum supplements the Master Purchase and Services Agreement between Company and BAMKO governing the Company’s purchase and use of Products and Services (the “Service Agreement”), as executed between the parties or their Affiliates. In the event of a conflict between any provisions of the Service Agreement and the provisions of this Addendum, the provisions of this Addendum shall govern and control.

1. Scope and Purpose

1.1 This Addendum applies to Personal Data processed under the GDPR and CCPA and provides an overview of data types, data subjects, and processing purposes (Annex 2).

1.2
This Addendum incorporates the EU Model Clauses for transferring Personal Data originating in the EEA to jurisdictions lacking adequate protection.

1.3
The processing of Personal Data is governed by the Company’s instructions. BAMKO will process Personal Data only as required to provide the Services.

2. Definitions

Key terms follow definitions in the GDPR, CCPA, and the Service Agreement, including:

  • “Personal Data”: Defined per GDPR and as “Personal Information” under CCPA.
  • “Subprocessor”: Any third party engaged by BAMKO to process Personal Data.
  • “EU Model Clauses”: Standard contractual clauses approved by the European Commission.

3. Data Processing Responsibilities

3.1 The Company determines the purposes and scope of processing. BAMKO processes Personal Data strictly per the Company’s written instructions.
3.2 BAMKO may only use approved Subprocessors (Annex 4).
3.3 Both parties will implement appropriate technical and organizational measures (Annex 3) to protect Personal Data against risks.

4. Sub processors

4.1 BAMKO’s approved Subprocessors are listed in Annex 4:

  • Amazon Web Services, Google, Merchant e-Solutions, UPS, USPS, Shipwire (UK only).

4.2 BAMKO will notify the Company of any additions or changes to Subprocessors, giving the Company the right to object within 30 days.

5. Data Transfers

5.1 Transfers of EEA-originating Personal Data are governed by the EU Model Clauses attached in Annex 5.
5.2 BAMKO shall notify and seek authorization from the Company before transferring data to jurisdictions without adequate protection.

6. Security Measures

Both parties agree to maintain and implement the security measures detailed in Annex 3, including:

  • Access controls, encryption, pseudonymization, regular audits, and incident response protocols.
  • Measures to ensure confidentiality, integrity, and resilience of processing systems.

7. Incident Management

7.1 BAMKO shall notify the Company of any data breaches or incidents that materially impact Personal Data security.
7.2 Notifications will include the nature of the breach, categories of data affected, and mitigation steps.

8. Return or Deletion of Data

Upon termination of the Service Agreement, BAMKO shall either return or securely delete all Personal Data, except where retention is required by law.

9. Assistance to Data Controller

BAMKO shall assist the Company in fulfilling obligations under the GDPR and CCPA, including responding to Data Subject requests and conducting Data Protection Impact Assessments.

10. Miscellaneous Provisions

  • Governing Law: This Addendum is governed by the laws of Delaware.
  • Counterparts: This Addendum may be executed electronically and in counterparts.

Annexes

Annex 1: Contact Information

BAMKO, Data Protection Officer (DPO): Max Levavi
Address: 11620 Wilshire Blvd., Suite 360, Los Angeles, CA 90025
Email: privacy@bamko.net

Annex 2: Personal Data Overview

  • Categories of Data Subjects: Consumers, employees, contractors, application end-users,
    website visitors.
  • Types of Personal Data:
            Personal identifiers, contact details, employment data, geolocation data, internet history, biometric information.
  • Purpose of Processing: To provide Services under the Service Agreement.

Annex 3: Security Measures

  • Logical access controls, encryption, intrusion detection, regular compliance testing, and
    monitoring.
  • Measures to restore access and data in the event of an incident.

Annex 4: Approved Subprocessors

Name of Subprocessor Description of Processing Location of Subprocessor
Amazon Web Services (AWS)
Cloud infrastructure, hosting, and data storage
United States
Google
Cloud services, analytics, email, and application hosting
United States
Merchant e-Solutions
Payment processing services
United States
UPS
Order shipment and tracking
United States
USPS
Order shipment and delivery services
United States
Shipwire (UK only)
Logistics and fulfillment services
United Kingdom

Annex 5: EU Model Clauses

  • Standard Contractual Clauses for EEA-originating data transfers.
Scroll to Top