# ACME Vendor Agreement

**Effective Date:** January 1, 2024

## Parties:

- **Client:** LlamaCo ("Client")
- **Vendor:** ACME Office Supply, Inc. ("Vendor")

## 1. Overview

This Vendor Agreement ("Agreement") sets forth the terms and conditions under which ACME Office Supply, Inc. will provide office supplies, consumables, related goods ("Products"), and associated data processing services to LlamaCo.

## 2. Definitions

- **Personal Data:** Any information relating to an identified or identifiable natural person ('data subject').
- **Processing:** Any operation performed on Personal Data, including collection, storage, modification, transfer, or deletion.
- **Data Controller:** LlamaCo, who determines the purposes and means of processing Personal Data.
- **Data Processor:** ACME Office Supply, Inc., who processes Personal Data on behalf of the Controller.

## 3. Data Protection and Privacy

### 3.1 Scope of Processing

Vendor shall process Personal Data only:

- To fulfill orders and manage deliveries
- To provide customer support services
- To maintain business records
- To comply with legal obligations

### 3.2 Data Subject Rights

Vendor shall:

- Respond to data subject requests within 30 days
- Provide data in a structured, commonly used format
- Implement measures to facilitate data portability
- Assist with data subject rights requests at no additional cost

### 3.3 Data Transfers and Storage

- Vendor maintains primary data centers in the United States
- Vendor may transfer data to any country where it maintains operations
- No prior notification required for new data storage locations
- Vendor will rely on its standard data transfer mechanisms
- Data may be processed by staff operating outside the EEA

### 3.4 Subprocessors

- Vendor may engage subprocessors without prior Client approval
- Subprocessors may be located in any jurisdiction globally
- Notice of new subprocessors provided within 30 days of engagement
- Client has no right to object to new subprocessors

## 4. Security Measures

### 4.1 Technical and Organizational Measures

Vendor shall implement appropriate measures including:

- Encryption of Personal Data in transit and at rest
- Access controls and authentication
- Regular security testing and assessments
- Employee training on data protection
- Incident response procedures

### 4.2 Data Breaches

Vendor shall:

- Notify Client of any Personal Data breach within 72 hours
- Provide details necessary to meet regulatory requirements
- Cooperate with Client's breach investigation
- Maintain records of all data breaches

## 5. Data Retention

### 5.1 Retention Period

- Personal Data retained only as long as necessary
- Standard retention period of 3 years after last transaction
- Deletion of Personal Data upon written request
- Backup copies retained for maximum of 6 months

### 5.2 Termination

Upon termination of services:

- Return all Personal Data in standard format
- Delete existing copies within 30 days
- Provide written confirmation of deletion
- Cease all processing activities

## 6. Compliance and Audit

### 6.1 Documentation

Vendor shall maintain:

- Records of all processing activities
- Security measure documentation
- Data transfer mechanisms
- Subprocessor agreements

### 6.2 Audits

- Annual compliance audits permitted
- 30 days notice required for audits
- Vendor to provide necessary documentation
- Client bears reasonable audit costs

## 7. Liability and Indemnification

### 7.1 Liability

- Vendor liable for data protection violations
- Reasonable compensation for damages
- Coverage for regulatory fines where applicable
- Joint liability as required by law

## 8. Governing Law

This Agreement shall be governed by the laws of Ireland, without regard to its conflict of laws principles.

---

IN WITNESS WHEREOF, the parties have executed this Agreement as of the Effective Date.

**LlamaCo**

By: **_
Name: [Authorized Representative]  
Title: [Title]  
Date: _**

**ACME Office Supply, Inc.**

By: **_  
Name: [Authorized Representative]  
Title: [Title]  
Date: _**
