DATA PROCESSING AGREEMENT

Shoptera

Last updated: January 1, 2025 | Binding version — Czech informational translation available at shoptera.ai

Preamble

This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service between Statistix s.r.o., reg. ID: 21035334, Kaprova 42/14, Staré Město, 110 00 Prague, Czech Republic ("Processor") and the Client who has accepted the Terms of Service ("Controller").

This DPA governs the processing of personal data that the Controller submits to the Shoptera platform in the course of using the service, in particular data incidentally present in product XML feeds and publicly accessible e-commerce store pages. This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR") and reflects the parties' agreement on the conditions under which the Processor shall process personal data on behalf of the Controller.

In the event of any conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA shall prevail. Capitalised terms not defined herein have the meanings set out in the Terms of Service and Privacy Policy available at shoptera.ai.

1. Definitions

1.1 In this DPA, the following definitions apply:

(a) Controller. the entity that determines the purposes and means of personal data processing — here, the Client.

(b) Processor. the entity that processes personal data on behalf of and on the instructions of the Controller — here, Statistix s.r.o. operating the Shoptera Platform.

(c) Sub-Processor. any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.

(d) Personal Data. any information relating to an identified or identifiable natural person within the meaning of Article 4(1) GDPR, which is contained in or incidentally forms part of the data submitted to the Platform by the Controller.

(e) Data Subject. any natural person whose Personal Data is processed under this DPA.

(f) Processing. any operation performed on Personal Data, as defined in Article 4(2) GDPR.

(g) Personal Data Breach. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, as defined in Article 4(12) GDPR.

(h) Standard Contractual Clauses (SCC). the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Article 46(2)(c) GDPR.

(i) Supervisory Authority. the competent data protection supervisory authority, in particular the Czech Office for Personal Data Protection (ÚOOÚ) or, where applicable, the supervisory authority in the Controller's country of establishment.

2. Subject Matter, Nature, and Purpose of Processing

2.1 SUBJECT MATTER. The Processor processes Personal Data on behalf of the Controller solely to the extent necessary to provide the Shoptera platform service, which consists of the automated analysis and optimisation of the Controller's product XML feeds for Google Shopping, as further described in the Terms of Service and in Annex 1 to this DPA.

2.2 NATURE OF PROCESSING. Processing activities carried out under this DPA include: downloading and storing the Controller's product XML feed; running automated AI Agent analysis on feed data; accessing publicly available product pages of the Controller's e-commerce store for attribute enrichment (Enrichment Agent); generating, storing, and presenting optimisation Suggestions to the Controller; applying accepted Suggestions to the managed feed; and synchronising the optimised feed at intervals determined by the Controller's subscription plan.

2.3 LIMITATION OF PURPOSE. The Processor shall process Personal Data exclusively for the purposes specified in this DPA and in Annex 1. The Processor shall not process Personal Data for its own purposes, for the purposes of any third party, or for any purpose incompatible with those specified herein, including for profiling, advertising, or the training of AI models using the Controller's data without the Controller's explicit written consent.

2.4 INCIDENTAL NATURE OF PERSONAL DATA. The parties acknowledge that the Shoptera service is designed to process product catalogue data, not personal data. Any Personal Data processed under this DPA is incidental to the primary purpose of feed optimisation and arises solely because the Controller's feed or publicly accessible store pages happen to contain such data. The Controller is responsible for minimising the presence of personal data in product feeds shared with the Processor.

3. Controller's Obligations

3.1 LAWFULNESS OF PROCESSING. The Controller warrants that it has a valid legal basis for processing the Personal Data submitted to the Platform and for engaging the Processor to process such data on its behalf. The Controller is solely responsible for the accuracy, quality, and legality of the Personal Data and for the means by which it was obtained.

3.2 INSTRUCTIONS. The Controller's instructions to the Processor are set out in this DPA and in the Terms of Service. The Controller may issue additional documented instructions within the scope of the service. The Processor shall be entitled to seek clarification of any instruction it considers ambiguous or potentially unlawful before acting upon it.

3.3 DATA MINIMISATION. The Controller shall take reasonable steps to ensure that product feeds and store pages submitted to the Platform do not contain unnecessary personal data. The Controller acknowledges that where personal data is unnecessarily included in feeds, it may be processed by the Processor's AI Agents as part of automated feed analysis.

3.4 INFORMATION OBLIGATIONS. Where required by applicable law, the Controller is responsible for informing Data Subjects about the processing of their personal data by the Processor under this DPA.

4. Processor's Obligations

4.1 PROCESSING ON INSTRUCTIONS ONLY. The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by Union or Member State law. In such case, the Processor shall inform the Controller of that legal requirement prior to processing, unless prohibited from doing so on important grounds of public interest.

4.2 CONFIDENTIALITY. The Processor shall ensure that all persons authorised to process Personal Data under this DPA are bound by an obligation of confidentiality, whether by contract or by statutory obligation, and that they process Personal Data only to the extent necessary for the performance of their tasks.

4.3 SECURITY MEASURES. The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, taking into account the nature, scope, context, and purposes of processing. The security measures currently implemented are described in Annex 3 to this DPA. The Processor may update these measures provided that the level of protection is not reduced.

4.4 SUB-PROCESSORS. The Controller hereby grants the Processor general written authorisation to engage Sub-Processors. The Sub-Processors currently engaged by the Processor are listed in Annex 2 to this DPA. The Processor shall: (i) inform the Controller of any intended changes to Sub-Processors (additions or replacements) by updating Annex 2 and notifying the Controller with at least 14 days' prior notice; (ii) impose data protection obligations on Sub-Processors equivalent to those set out in this DPA; and (iii) remain fully liable to the Controller for the performance of Sub-Processors' obligations. The Controller may object to a proposed new Sub-Processor by notifying the Processor in writing within 14 days. If the parties cannot resolve the objection, the Controller may terminate the Agreement.

4.5 DATA SUBJECT RIGHTS. The Processor shall assist the Controller, by appropriate technical and organisational measures insofar as reasonably practicable, to fulfil its obligation to respond to Data Subject requests to exercise their rights under Chapter III of the GDPR. If the Processor receives a request directly from a Data Subject, it shall promptly forward it to the Controller and shall not respond to the Data Subject directly unless authorised to do so by the Controller.

4.6 ASSISTANCE WITH COMPLIANCE. The Processor shall assist the Controller in ensuring compliance with the obligations set out in Articles 32–36 GDPR, having regard to the nature of the processing and the information available to the Processor. This includes assistance with security obligations, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities.

4.7 PERSONAL DATA BREACH NOTIFICATION. The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification shall include: (i) a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records concerned; (ii) the name and contact details of the data protection contact point; (iii) a description of the likely consequences of the breach; and (iv) a description of the measures taken or proposed by the Processor to address the breach. Where full information is not yet available, the Processor shall provide information in phases without undue further delay.

4.8 RETURN AND DELETION OF DATA. Upon termination or expiry of the Agreement, or upon written request by the Controller at any time, the Processor shall, at the Controller's election: (i) return to the Controller all Personal Data in a structured, commonly used, machine-readable format; or (ii) securely delete all Personal Data, including any copies held by Sub-Processors, and provide written confirmation thereof. Deletion shall be carried out within 90 days of the request or of the termination of the Agreement, unless the Processor is required to retain the data under Union or Member State law, in which case it shall inform the Controller and limit processing to what is strictly required by that legal obligation.

4.9 RECORDS OF PROCESSING ACTIVITIES. The Processor shall maintain records of all categories of processing activities carried out on behalf of the Controller, as required by Article 30(2) GDPR, and shall make such records available to the Controller or the competent Supervisory Authority upon request.

4.10 AUDITS AND INSPECTIONS. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, provided that: (i) the Controller gives at least 30 days' prior written notice; (ii) audits are conducted during normal business hours and no more than once per year, unless there are reasonable grounds to suspect a breach; (iii) the Controller bears all costs of such audits unless a material non-compliance is identified. As an alternative to on-site audits, the Processor may provide the Controller with a current third-party audit report (e.g. ISO 27001, SOC 2) confirming equivalent compliance.

5. International Data Transfers

5.1 TRANSFERS OUTSIDE THE EEA. Where Personal Data is transferred to or processed in countries outside the European Economic Area (EEA) in connection with the engagement of Sub-Processors listed in Annex 2, the Processor shall ensure that such transfers are subject to appropriate safeguards pursuant to Chapter V of the GDPR. The primary safeguard used is the Standard Contractual Clauses adopted by the European Commission.

5.2 TRANSFER IMPACT ASSESSMENTS. The Processor shall conduct and maintain transfer impact assessments (TIAs) for transfers to Sub-Processors in third countries where required and shall apply any additional technical, contractual, or organisational measures identified as necessary to ensure an equivalent level of protection.

5.3 NOTIFICATION OF LEGAL ORDERS. If the Processor or any Sub-Processor receives a legally binding request from a public authority in a third country to disclose Personal Data processed under this DPA, the Processor shall, to the extent permitted by law, notify the Controller before complying and shall use all available legal means to challenge or limit such disclosure.

6. Liability

6.1 CONTROLLER'S LIABILITY. The Controller is liable for ensuring that Personal Data submitted to the Platform is processed in compliance with applicable data protection law and that the Controller has a valid legal basis for any processing instructed under this DPA.

6.2 PROCESSOR'S LIABILITY. The Processor is liable for damage caused by processing that infringes the GDPR to the extent that it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to the Controller's lawful instructions.

6.3 LIMITATION OF LIABILITY. The Processor's liability under this DPA is subject to the limitations set out in the Terms of Service. In particular, the Processor's aggregate liability under this DPA shall not exceed the cap set out in the Terms of Service. Nothing in this DPA shall exclude or limit liability in cases of wilful misconduct or gross negligence.

7. Term and Termination

7.1 TERM. This DPA enters into force on the date the Controller accepts the Terms of Service and remains in force for as long as the Processor processes Personal Data on behalf of the Controller under the Agreement.

7.2 TERMINATION. This DPA terminates automatically upon termination or expiry of the Agreement. Obligations of confidentiality and security, the data deletion obligations under Article 4.8, and any provisions necessary for the resolution of disputes or enforcement of rights shall survive termination.

8. Governing Law and Jurisdiction

8.1 GOVERNING LAW. This DPA is governed by the laws of the Czech Republic, subject to any mandatory provisions of EU data protection law.

8.2 JURISDICTION. Any disputes arising from this DPA shall be subject to the jurisdiction of the competent courts of the Czech Republic, consistent with the jurisdiction clause in the Terms of Service.

9. Miscellaneous

9.1 PRECEDENCE. In the event of any conflict between this DPA and any other agreement between the parties regarding the subject matter of data protection, this DPA shall take precedence.

9.2 AMENDMENTS. This DPA may be amended by the Processor upon notice to the Controller in accordance with the amendment procedure set out in the Terms of Service. Where an amendment is required to ensure compliance with applicable data protection law, it shall take effect immediately upon notice.

9.3 SEVERABILITY. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

9.4 LANGUAGE. This DPA is provided in English, which constitutes the legally binding version. A Czech-language informational translation is available at shoptera.ai. In the event of any inconsistency between language versions, the English version shall prevail.

ANNEXES

ANNEX 1 — Description of Processing Activities

This Annex sets out the details of the processing activities carried out by the Processor on behalf of the Controller pursuant to Article 28(3) GDPR.

ANNEX 2 — Authorised Sub-Processors

The following Sub-Processors are authorised to process Personal Data on behalf of the Controller as at the date of this DPA. The Processor shall update this list and provide 14 days' prior notice of any changes.

ANNEX 3 — Technical and Organisational Security Measures

The following technical and organisational measures are implemented by the Processor to ensure a level of security appropriate to the risk, pursuant to Article 32 GDPR.

Statistix s.r.o. | Reg. ID: 21035334 | Kaprova 42/14, Staré Město, 110 00 Prague | shoptera.ai