Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Optonomous, Inc. (“Processor”) and the merchant (“Controller”) and applies to Processor's processing of Personal Data on the Controller's behalf.

1. Roles

For Personal Data of the Controller's customers processed to deliver the Service, the Controller is the controller and Optonomous is the processor (or “service provider” under US state law). Optonomous processes such data only on documented instructions, including those set out in the Terms and this DPA.

De-identified datasets created under the opt-in data program are not Personal Data and fall outside the controller-processor relationship; their treatment is described in the Privacy Policy and program terms. Optonomous contractually prohibits re-identification.

2. Subject matter, nature & purpose

Processing is for the purpose of providing the Service (operating store support, subscriptions, inventory, disputes, and ad operations) for the duration of the Controller's use of the Service. Details are set out in Annex A.

3. Processor obligations

• Process Personal Data only on the Controller's documented instructions.
• Ensure personnel are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Annex B).
• Assist the Controller with data-subject requests and with its security, breach-notification, and impact-assessment obligations.
• Exclude payment/PCI data from datasets at source and apply the de-identification pipeline before any data-program use.

4. Sub-processors

The Controller authorizes Optonomous to engage sub-processors listed in Annex C, subject to flow-down obligations and notice of changes with an opportunity to object. [ Sub-processor list & notice mechanism — TBD ]

5. Data-subject requests

Optonomous will, taking into account the nature of processing, assist the Controller in responding to requests to exercise data-subject rights, including deletion propagation to derived datasets where applicable.

6. Personal data breach

Optonomous will notify the Controller without undue delay after becoming aware of a Personal Data breach and provide information reasonably required for the Controller's obligations. [ Notification window — TBD ]

7. Deletion & return

On termination, Optonomous will delete or return Personal Data at the Controller's choice, except where retention is required by law. De-identified data already created is handled per §1 and the Privacy Policy.

8. Audits

Optonomous will make available information necessary to demonstrate compliance and allow for audits subject to reasonable scope and confidentiality. [ Audit terms — TBD ]

9. International transfers

Where Personal Data is transferred across borders, the parties will rely on an appropriate transfer mechanism, such as [ Standard Contractual Clauses / other — TBD ].

10. Platform-specific terms

Where data is accessed through a commerce platform (e.g., Shopify), the parties will comply with that platform's data-protection requirements, including Shopify's Protected Customer Data requirements. [ Confirm specific obligations — TBD. ]

Annexes