These Data Processing Terms ("Terms") form part of the Terms of Service between Printful Inc. and its aﬃliated companies and subsidiaries such as AS Printful Latvia, Printful Custom Printing, S.L. and others ("Printful") and Merchants (defined below) regarding Printful's services. These Terms are binding between Printful and Merchants and constitute a data processing agreement. If there is a conflict between these Terms and the Agreement, these Terms will govern. If you do not agree to these Terms, do not use the Service (both defined below).
3.1 To the extent that Printful Processes Personal Data on behalf of the Merchant, the following Processing details apply:
- Categories of Data Subjects. Merchant’s customers (end users of Printful’s Services) and Merchant's potential customers or other end users of Printful's Services, whose personal data Merchant has authorized Printful to Process.
- Type of Personal Data. Personal Data relating to the Merchant's customers and any Personal Data in the Merchant’s printing content (where applicable) and Personal Data revealed during the use of any Printful Services, including name, email address, phone number, shipping address and other information about the Merchant's customers.
- Nature and purpose of processing. Printful processes Data in accordance with these Terms in order to provide the Merchant with the Service and otherwise ensure fulﬁlment of the obligations set out in the Agreement between the Merchant and Printful to the extent this involves the processing of Personal Data. Printful only has access to the Personal Data that has been provided by the Merchant and uses such Personal Data in accordance with the Merchant's instructions as set out in these Terms.
- Duration of processing. Data will be processed for the duration of the Agreement.
At the choice of the Merchant, Printful will delete or return all Personal Data to the Merchant after the end of the Agreement, and shall delete existing copies, unless an applicable law requires Printful to store such Personal Data.
These Terms are governed by the laws of the Republic of Latvia and are subject to the dispute resolution procedure as prescribed by the Agreement.
Printful reserves the right, at its discretion, to modify these Terms. In case of material changes, Printful will notify the Merchant in writing, giving the Merchant the right to terminate the Agreement.
Technical and Organisational Security Measures
Printful shall take, among others, the following technical and organizational measures to ensure physical security of Personal Data and control system entry, access, transfer, input, availability and separation of Personal Data:
1. to establish the identity of the authorized persons and prevent unauthorized access to Printful’s premises and facilities in which the Personal Data are processed:
All entrances are secured or locked and can only be accessed with the appropriate key / chip card / internal digital keys;
Premises are protected by an alarm system;
All visitors are required to identify themselves and are signed-in by authorized staff;
Video monitoring of premises;
Visitors are accompanied by Printful’s personnel at all times;
Trained security guards are stationed in and around the building 24/7,
2. to prevent unauthorized access to the data processing systems:
Use of state-of-the-art anti-virus software that includes e-mail filtering and malware detection;
Use of firewalls;
During idle times, user and administrator PCs are locked;
Users are required to setup complex passwords and 2FA in all systems as possible;
Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above these least privileges requires appropriate authorization;
Starter, mover & leaver housekeeping processes in place which covers access rights depends on job duties;
RSA/ed25519 2-factor authentication in place for most critical remote connections;
Vulnerability scanning and remediation in place;
Data centre and website penetration testing programme in place.
3. to prevent unauthorized activities in the data processing systems outside the scope of any granted authorizations:
User and administrator access to the network is based on a groupe-based/ role-based access rights model. There is an authorization concept in place that grants access rights to data only on a “need to know” basis;
Administration of user rights through system administrators or system owners;
IT governance & controls audits undertaken regularly by external 3rd party;
Internal control audits undertaken regularly.
4. to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where personal data are or have had to be transmitted by data transmission equipment: