Data Processing Addendum

1. Definitions

Capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement. For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by Itemstores on behalf of the Business in connection with the Services.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Protection Laws" means all applicable US federal and state laws and regulations relating to the processing of Personal Data, including the CCPA/CPRA and any other applicable data protection or privacy legislation.
• "Sub-Processor" means any third party engaged by Itemstores to process Personal Data on behalf of the Business.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Services" means the Itemstores platform and related services as described in the Agreement.

2. Scope and Application

This DPA applies to the processing of Personal Data by Itemstores on behalf of the Business. The Business is the Controller of Personal Data collected through its Store(s), and Itemstores acts as the Processor of such data.

This DPA does not apply to Personal Data for which Itemstores is the Controller, such as Business account registration data, billing information, and platform analytics. Itemstores' processing of such data is governed by our Privacy Policy.

By using the Services, the Business instructs Itemstores to process Personal Data as described in this DPA and the Agreement.

3. Details of Processing

3.1 Subject Matter and Purpose

Itemstores processes Personal Data to provide the Services to the Business, including hosting the Business's online Store, facilitating transactions, processing orders, enabling shipping label generation, and providing order management tools.

3.2 Duration of Processing

Processing will continue for the duration of the Agreement, plus any period required for Itemstores to comply with its legal obligations or as set forth in Section 14 of this DPA.

3.3 Nature of Processing

Collection, storage, organization, retrieval, use, transmission, and erasure of Personal Data as necessary to provide the Services.

3.4 Categories of Data Subjects

• Buyers who place orders through the Business's Store(s)
• Visitors to the Business's Store(s)

3.5 Types of Personal Data

• Names
• Email addresses
• Shipping and billing addresses
• Order details and transaction history
• Phone numbers
• Payment-related information (processed by Stripe; Itemstores does not store full credit card numbers)
• Responses to custom checkout questions and personalization requests configured by the Business
• IP addresses
• Browser and device information
• Visitor identifiers (randomly generated IDs used for analytics)

3.6 Sensitive Data

The Business shall not submit, and Itemstores does not knowingly collect, any sensitive personal information (such as Social Security numbers, financial account credentials, health data, or precise geolocation) through the Services. If the Business becomes aware that any sensitive data has been submitted, it must notify Itemstores immediately.

4. Controller Obligations

The Business, as Controller, shall:

• Ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents, notices, and permissions have been obtained from Data Subjects
• Comply with all applicable Data Protection Laws in relation to its use of the Services and any processing instructions issued to Itemstores
• Provide Itemstores with documented, lawful processing instructions
• Maintain its own privacy policy that accurately describes its data collection and processing practices to Buyers
• Be responsible for the accuracy, quality, and legality of Personal Data provided to Itemstores
• Notify Itemstores promptly if it becomes aware of any Data Breach or security incident related to Personal Data

5. Processor Obligations

Itemstores, as Processor, shall:

• Process Personal Data only on documented instructions from the Business, unless required to do so by applicable law, in which case Itemstores shall inform the Business of that legal requirement before processing (unless prohibited by law)
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational security measures as described in Section 8
• Not engage any Sub-Processor without meeting the requirements set out in Section 6
• Assist the Business, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under Data Protection Laws
• Assist the Business in ensuring compliance with its obligations regarding data security and breach notification
• At the choice of the Business, delete or return all Personal Data to the Business after the end of the provision of Services, as described in Section 14
• Make available to the Business all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 11
• Immediately inform the Business if, in Itemstores' opinion, an instruction from the Business infringes Data Protection Laws

6. Sub-Processors

6.1 General Authorization

The Business provides Itemstores with general written authorization to engage Sub-Processors to process Personal Data on the Business's behalf. Itemstores shall ensure that Sub-Processors are bound by data protection obligations no less protective than those set out in this DPA.

6.2 Current Sub-Processors

Itemstores currently engages the following Sub-Processors:

6.3 Changes to Sub-Processors

Itemstores shall notify the Business of any intended changes to its Sub-Processors by updating this page or by email notification. The Business shall have fourteen (14) days from receipt of such notice to object to the new Sub-Processor on reasonable grounds relating to data protection. If the Business objects and Itemstores cannot reasonably accommodate the objection, either party may terminate the Agreement with respect to the affected Services.

6.4 Liability for Sub-Processors

Itemstores shall remain fully liable to the Business for the performance of each Sub-Processor's obligations in accordance with this DPA.

7. Data Subject Rights

Itemstores shall, taking into account the nature of the processing, assist the Business by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Business's obligation to respond to requests from individuals exercising their rights under applicable Data Protection Laws, including rights of access, correction, deletion, and opt-out.

If Itemstores receives a request directly from an individual regarding Personal Data processed on behalf of the Business, Itemstores shall promptly notify the Business and shall not respond to the request directly unless authorized by the Business or required by applicable law.

8. Security Measures

Itemstores shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

• Encryption in transit: SSL/TLS encryption for all data transmitted between users' browsers and our servers
• Secure payment processing: Payment data handled exclusively by PCI DSS-compliant Stripe; Itemstores does not store full credit card numbers
• Password security: Password hashing using industry-standard cryptographic algorithms
• Access controls: Role-based access controls to limit personnel access to Personal Data on a need-to-know basis
• Security headers: Content Security Policy, Strict Transport Security, and X-Content-Type-Options headers
• Infrastructure security: Hosting on Vercel and AWS with industry-standard physical and environmental security controls
• Regular reviews: Periodic security reviews and updates to address emerging threats
• Confidentiality: Personnel authorized to process Personal Data are bound by confidentiality obligations

Itemstores shall regularly assess and, where necessary, update these measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.

9. Data Breach Notification

9.1 Notification to the Business

Itemstores shall notify the Business without unreasonable delay after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Business. The notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of individuals and records concerned
• The name and contact details of the Itemstores contact from whom more information can be obtained
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects

9.2 Cooperation

Itemstores shall cooperate with the Business and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. Itemstores shall also assist the Business in meeting its breach notification obligations under applicable Data Protection Laws.

9.3 Record-Keeping

Itemstores shall maintain a record of all Data Breaches, including the facts relating to the breach, its effects, and the remedial actions taken.

10. International Data Transfers

Itemstores is based in the United States. Personal Data processed under this DPA is primarily stored and processed in the United States.

If users access the Services from outside the United States, their Personal Data may be transferred to and processed in the United States or other countries where Itemstores or its Sub-Processors operate. These countries may have data protection laws that differ from those in the user's jurisdiction.

Itemstores shall ensure that any Sub-Processor receiving Personal Data is subject to appropriate contractual data protection obligations.

11. Audit Rights

Itemstores shall make available to the Business all information reasonably necessary to demonstrate compliance with this DPA.

The Business may, upon reasonable written notice of at least thirty (30) days, conduct or commission an independent third-party auditor to conduct an audit of Itemstores' data processing activities, no more than once per calendar year, to verify compliance with this DPA. Such audits shall:

• Be conducted during normal business hours with minimal disruption to Itemstores' operations
• Be subject to reasonable confidentiality obligations
• Not include access to data of other customers or any information that is not relevant to the Business's Personal Data

The Business shall bear its own costs associated with any audit unless the audit reveals a material breach of this DPA by Itemstores, in which case Itemstores shall bear the reasonable costs of the audit.

Itemstores may satisfy audit requests by providing relevant certifications, audit reports, or other documentation that reasonably demonstrates compliance.

12. Duration and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination or expiration of the Agreement, this DPA shall automatically terminate, subject to the obligations in Section 14 regarding the return or deletion of Personal Data.

Any provisions of this DPA that by their nature should survive termination shall survive, including Sections 9, 11, 13, 14, and 15.

13. CCPA/CPRA Provisions

To the extent that the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), applies to Personal Data processed by Itemstores on behalf of the Business, the following provisions shall apply:

• Itemstores acts as a "Service Provider" (as defined under the CCPA/CPRA) with respect to Personal Data processed on behalf of the Business.
• Itemstores shall not retain, use, or disclose Personal Data except as necessary for the specific purposes set forth in the Agreement and this DPA.
• Itemstores shall not sell or share Personal Data (as those terms are defined under the CCPA/CPRA).
• Itemstores shall not combine Personal Data received from the Business with Personal Data received from or on behalf of other persons or collected from Itemstores' own interactions with Data Subjects, except as expressly permitted by the CCPA/CPRA.
• Itemstores shall comply with all applicable obligations of a Service Provider under the CCPA/CPRA and shall assist the Business in responding to verifiable consumer requests.

14. Return and Deletion of Data

Upon termination or expiration of the Agreement, or upon the Business's written request, Itemstores shall:

• At the Business's election, return or delete all Personal Data processed on behalf of the Business, including all copies, unless applicable law requires further storage
• Provide the Business with a reasonable period (no less than thirty (30) days following termination) to request the return of Personal Data in a structured, commonly used, machine-readable format
• After such period, securely delete all remaining Personal Data, unless retention is required by applicable law

Where Itemstores is required by applicable law to retain Personal Data beyond the termination of the Agreement (for example, to comply with tax or accounting obligations), Itemstores shall isolate and protect such data from further processing and shall delete it once the retention obligation expires.

Itemstores shall provide written confirmation of deletion upon the Business's request.

15. Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement.

Nothing in this DPA shall limit either party's liability to individuals or to competent regulatory authorities under applicable Data Protection Laws.

16. Conflict

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

17. Contact Information

For any questions or requests related to this DPA, please contact us: