Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms when Shoppio processes Personal Data on behalf of the Customer as Processor.

"Personal Data", "Processing", "Controller", "Processor" and "Data Subject" have the meanings given in GDPR Art. 4.

Subject-matter, duration, nature, purpose, categories of data subjects and personal data are described in Annex 1 of the Service Order.

Shoppio will process Personal Data only on documented instructions of the Customer.

Persons authorized to process Personal Data are bound by appropriate confidentiality obligations.

Technical & organizational measures: encryption at rest (AES-256) and in transit (TLS 1.3), least-privilege access, audit logging, intrusion detection, regular penetration testing.

Customer authorizes the engagement of the following sub-processors. Shoppio will notify Customer of any addition or replacement (30-day objection right).

Shoppio will assist Customer in fulfilling requests by Data Subjects to exercise rights under applicable data protection law.

Shoppio will notify Customer without undue delay (within 72 hours) of becoming aware of a Personal Data Breach.

Transfers from the EU/EEA, UK or Switzerland are governed by the EU Standard Contractual Clauses (2021/914) and the UK Addendum.

Customer (or its representative) may audit Shoppio's compliance once per year on 30 days' notice, subject to standard confidentiality.

On termination, Shoppio will delete or return Personal Data within 60 days unless retention is required by law.