Data Processing Agreement

1. Scope of Processing

• Subject matter: Providing the CatalogCompass PIM platform as described in the Terms of Service.
• Nature: Storage, retrieval, transformation, and synchronization of product catalog data.
• Types of personal data: Names, email addresses (account data); product descriptions and metadata.
• Categories of data subjects: Controller's employees, customers referenced in product data.

2. Processor Obligations

• Process personal data only on documented instructions from the Controller.
• Ensure persons authorized to process personal data have committed to confidentiality.
• Implement appropriate technical and organizational measures to ensure security of processing.
• Engage sub-processors only with prior authorization; maintain an up-to-date list.
• Assist the Controller in responding to data subject requests.
• Delete or return all personal data upon termination of the agreement.
• Make available all information necessary to demonstrate compliance; allow for audits.
• Notify the Controller of a personal data breach without undue delay (within 72 hours).

3. Security Measures

• Data at rest: AES-256 encryption on Azure PostgreSQL and Cloudflare R2.
• Data in transit: TLS 1.2+ for all connections.
• Access control: Role-based access with per-organization tenant isolation.
• Backups: Automated daily backups with 7-day retention.

4. Sub-Processors

The Controller authorizes the use of sub-processors listed on our Sub-Processors page. The Processor will notify the Controller of any intended changes to sub-processors at least 30 days in advance. View current sub-processors

5. Contact

For DPA-related inquiries, contact us at [email protected].