Skip to content
PrintSprout Logo
Home Pricing Features Blog Contact
Get Started Book A Demo

PrintSprout Retailer – Data Processing Addendum

This Data Processing Addendum ("Addendum") applies to agreements between PrintSprout Inc. ("PrintSprout") and any entity that subscribes to PrintSprout’s services as a Retailer, where such Retailer is subject to Applicable Law. PrintSprout and the Retailer are collectively referred to as the "Parties."

This Addendum sets forth the terms and conditions governing the privacy, confidentiality, and security of Personal Data (as defined below) in connection with the services provided by PrintSprout to the Retailer under the applicable sign-up form and Retailer Terms (together, the "Agreement").

Definitions

Terms defined in the Retailer Terms shall have the same meaning in this Addendum. In addition:

"Applicable Law"
Means all applicable Canadian and United States federal, provincial, state, and local laws and regulations relating to the privacy, confidentiality, security, and protection of Personal Data. This includes, without limitation, Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and other applicable data protection laws in jurisdictions where PrintSprout operates or where Retailers are located.
"Data Controller"
Means a person or entity who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
"Data Processor"
Means a person or entity who Processes Personal Data on behalf of the Data Controller.
"Data Security Measures"
Means technical and organizational measures designed to ensure a level of security appropriate to the risk of Processing Personal Data, including protections against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and other forms of unlawful Processing, as well as measures to safeguard the confidentiality and integrity of Personal Data.
"Data Subject"
Means an identified or identifiable individual to whom the Personal Data relates.
"Instructions"
Means this Addendum and any additional written instructions or agreements through which the Data Controller directs the Data Processor to carry out specific Processing of Personal Data.
"Personal Data"
Means any information relating to an identified or identifiable individual that is Processed by PrintSprout on behalf of the Retailer pursuant to the Retailer’s Instructions under this Addendum. This includes identifiers such as names, email addresses, phone numbers, IP addresses, or any other data that can be linked to an individual.
"Personal Data Breach"
Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
"Process", "Processed", or "Processing"
Means any operation or set of operations performed on Personal Data, whether or not by automated means. This includes, but is not limited to, collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, restriction, erasure, or destruction.
"Services"
Means the services provided by PrintSprout and subscribed to by the Retailer under the Agreement.
"Sub-Processor"
Means any third-party entity engaged by the Data Processor or its subcontractors to Process Personal Data on behalf of and under the direction of the Data Controller.

Roles and Responsibilities of the Parties

The Parties acknowledge and agree that the Retailer is acting as a Data Controller and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data under this Addendum. PrintSprout is acting as a Data Processor on behalf of and in accordance with the Instructions of the Retailer.

All Personal Data shall at all times remain the sole property of the Retailer, and PrintSprout shall not have or acquire any rights or interests in such data.

Obligations of PrintSprout

Where PrintSprout acts as a Data Processor on behalf of the Retailer, PrintSprout agrees and warrants to:

  • Process Personal Data only as instructed: Process Personal Data disclosed by the Retailer solely on behalf of and in accordance with the provision of the Services under the Sign-Up Form and Retailer Terms, unless otherwise required by Applicable Law. If PrintSprout is required by law to process Personal Data differently, it will inform the Retailer of that legal requirement before doing so, unless legally prohibited from doing so on important public interest grounds. PrintSprout shall promptly inform the Retailer if, in its opinion, any instruction provided by the Retailer infringes Applicable Law.
  • Limit and protect access: Ensure that any person authorized by PrintSprout to process Personal Data in connection with the Services is granted access only on a need-to-know basis and is subject to a legally enforceable confidentiality obligation.
  • Data storage locations: PrintSprout may store and process data, including Personal Data, in Canada, the United States, or other jurisdictions as required to deliver its services. PrintSprout will ensure that any data transfers comply with Applicable Law in the jurisdictions in which it operates.
  • Handle data subject requests properly: Promptly inform the Retailer of any formal requests received from individuals (Data Subjects) exercising their rights (such as access, correction, erasure, restriction, objection, or data portability). PrintSprout will not respond to such requests directly unless specifically instructed by the Retailer in writing. PrintSprout will provide reasonable assistance to the Retailer, at the Retailer’s cost, in fulfilling its obligations to respond to such requests, taking into account the nature of the processing.
  • Respond to legal demands: Notify the Retailer immediately and in writing of any subpoena, court order, or government request seeking access to or disclosure of Personal Data. The Retailer has the right to assume control of the response and may seek a protective order. PrintSprout will reasonably cooperate with the Retailer in any such legal proceedings.
  • Support compliance efforts: Provide reasonable assistance to the Retailer, at the Retailer’s cost, to help meet the Retailer’s legal obligations under Applicable Law regarding data privacy and protection.
  • Maintain processing records: Maintain internal records of its processing activities involving Personal Data, and make such records available to the Retailer or to relevant regulatory authorities upon request.

Transfer of Personal Information to Print Suppliers

The Retailer expressly acknowledges that PrintSprout will transfer Personal Data to third-party print suppliers in Canada or the United States on behalf of the Retailer in the course of providing its Services. These print suppliers fulfill orders directly to the Retailer's customers as part of a dropshipping model. Such suppliers are not subcontractors or sub-processors of PrintSprout. It is the sole responsibility of the Retailer to ensure that, where required by Applicable Law, an adequate data processing agreement or addendum is in place between the Retailer and each print supplier receiving Personal Data.

Sub-Processing

PrintSprout shall not share, transfer, disclose, make available, or otherwise provide access to any Personal Data to any sub-contractor or sub-processor, nor delegate any of its responsibilities involving Personal Data, unless PrintSprout has entered into a written agreement with that third party. Such agreements must impose obligations on the third party that are at least as protective of Personal Data as those set out in this Addendum and comply with all applicable Canadian and U.S. privacy laws. PrintSprout will only engage third parties that are capable of implementing appropriate safeguards to ensure the privacy, confidentiality, and security of the Personal Data.

Compliance with Applicable Laws

Each party agrees and undertakes to comply with all Applicable Laws in connection with its use or provision of the Services.

Without limiting the foregoing, PrintSprout is not responsible for determining the legal requirements applicable to the Retailer’s business or whether the Retailer’s use of the Services complies with such requirements. As between the parties, the Retailer is solely responsible for ensuring the lawfulness of its Processing of Personal Data, including any Personal Data provided to or processed through PrintSprout. The Retailer agrees not to use the Services in any way that would violate applicable data protection or privacy laws.

If an individual (Data Subject) brings a claim directly against PrintSprout for a violation of their data protection rights and the claim does not result from any breach by PrintSprout of this Agreement, the Retailer agrees to indemnify and hold PrintSprout harmless from any resulting costs, damages, expenses, or losses. This indemnity applies only if PrintSprout has promptly notified the Retailer of the claim and has provided the Retailer with a reasonable opportunity to assist in the defense or settlement of the matter.

Data Security

PrintSprout shall develop, maintain, and implement a comprehensive written information security program that complies with Applicable Law and generally accepted industry practices. This program shall include administrative, technical, physical, and organizational safeguards designed to:

  1. Ensure the security and confidentiality of Personal Data;
  2. Protect against anticipated threats or hazards to the integrity of Personal Data;
  3. Prevent unauthorized access, disclosure, alteration, or destruction of Personal Data;
  4. Mitigate the risk of any Personal Data Breach.

As part of this commitment, PrintSprout implements the following safeguards and controls:

  • Authentication & Authorization: All users and administrators must securely log in via email/password authentication and possess valid session tokens. Access is strictly limited to data within each user's designated company (tenant).
  • File Handling & Uploads: Only PDF files may be uploaded through the PrintSprout plugin. Any file not attached to an order is automatically deleted within 24 hours. No other file types are accepted, and file size restrictions apply.
  • Media Access: Files stored are accessible only to PrintSprout, the Retailer, and the designated print suppliers strictly for order fulfillment purposes. Some production files may be accessible through time-limited public URLs for print suppliers.
  • Encryption: Sensitive information such as API keys and credentials is encrypted. Decryption occurs only when required and is performed using a secure key stored outside the application codebase.
  • Webhooks & API Security: All webhook endpoints are protected by authentication or validation requirements. No data from untrusted sources is accepted or processed without strict checks.
  • Database Security: All database access is handled using prepared statements, with data access strictly restricted by tenant (company). Personal Data is never exposed across accounts.
  • Billing & Payment: All payment information and subscription changes are handled through PCI-compliant providers (Stripe or Chargebee). PrintSprout does not store or process credit card data.
  • System Monitoring & Logging: PrintSprout maintains logs of security events and system errors for audit and troubleshooting purposes. No Personal Data is stored in error messages or logs.
  • Secure Protocols: All access to PrintSprout’s services is restricted to secure HTTPS connections to protect data in transit.
  • Training & Oversight: All PrintSprout personnel with access to Personal Data receive appropriate training and are supervised to ensure privacy and security obligations are maintained.

Data Disposal

Promptly, and in any event within ninety (90) days following the expiration or termination of the Master Agreement, PrintSprout shall either:

  • Return all Personal Data to the Retailer or its designee, upon written request made within that period; or
  • If no request is made, securely destroy or render unreadable all originals and copies of Personal Data in its possession or under its control.

If applicable law prevents PrintSprout from returning or destroying the data, PrintSprout warrants it will continue to ensure the confidentiality of such Personal Data and will not access, use, or disclose it for any purpose after termination of this Addendum.

Data Breach Notification

PrintSprout shall promptly notify the Retailer in writing upon becoming aware of any actual or suspected Personal Data Breach involving Personal Data processed on behalf of the Retailer. Such notification shall include, to the extent available:

  1. A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of affected individuals and the categories and approximate number of impacted Personal Data records;
  2. The likely consequences of the Personal Data Breach; and
  3. The measures taken or proposed by PrintSprout to address the breach, including, where applicable, steps taken to mitigate any potential adverse effects.

PrintSprout shall cooperate fully with the Retailer in any reasonable efforts to investigate, contain, mitigate, or remediate the breach. PrintSprout shall also provide the Retailer with any assistance reasonably required to meet the Retailer's obligations under applicable Canadian or U.S. privacy laws related to breach notification, including obligations to notify affected individuals or regulatory authorities if required by law.

Audit

Upon written request by the Retailer (no more than once per calendar year, unless a Personal Data Breach has occurred), PrintSprout shall make available to the Retailer all information reasonably necessary to demonstrate compliance with the obligations set forth in this Addendum.

At the Retailer's expense, PrintSprout shall also allow for and cooperate with audits, including on-site inspections if reasonably required, conducted by the Retailer or a third-party auditor authorized by the Retailer.

Within a reasonable timeframe after such request, PrintSprout agrees to provide:

  1. any available audit reports or documentation relevant to demonstrating PrintSprout’s compliance with this Addendum; and
  2. written confirmation that any audits conducted did not reveal any material vulnerabilities in PrintSprout’s systems, or, if any such vulnerabilities were identified, that they have been fully resolved.

Governing Law

This Addendum shall be governed by and construed in accordance with the laws of the jurisdiction specified in the Master Agreement between the Retailer and PrintSprout. Such jurisdiction shall be either the laws of a province or territory in Canada or a state within the United States, as mutually agreed upon in the Master Agreement.