Data Processing Agreement

In this DPA: "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Platform. "Processing" has the meaning given in Article 4(2) GDPR. "Data Subject" means the natural person to whom Personal Data relates. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

The Processor processes Personal Data on behalf of the Controller for the purpose of operating the B2B wholesale platform, including: processing orders placed by the Controller; maintaining account records; generating invoices and financial records; providing customer support; and complying with applicable laws.

Categories of Personal Data processed: contact details of Controller representatives (name, email, phone); billing and shipping address data; order history and transaction records; account login credentials (encrypted). Special categories of personal data are not processed.

The Processor shall process Personal Data only on documented instructions from the Controller, except where required to do so by EU or Member State law. The Controller's instructions are set out in the Seller Agreement and these Terms. The Processor shall inform the Controller if an instruction infringes GDPR.

The Processor shall ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations. Access to Personal Data is restricted to staff whose job functions require such access.

The Processor implements appropriate technical and organisational measures including: 256-bit TLS encryption for all data in transit; AES-256 encryption for sensitive data at rest; role-based access controls; regular security audits; incident response procedures; penetration testing twice annually.

The Controller authorises the following sub-processors: Stripe, Inc. (payment processing, USA — SCCs in place); Google LLC (analytics and email, USA — SCCs in place); Amazon Web Services EMEA SARL (cloud hosting, Ireland); Postmark (transactional email, USA — SCCs in place). The Processor will notify the Controller of any intended changes to sub-processors at least 14 days in advance.

The Processor shall assist the Controller in responding to Data Subject rights requests (access, erasure, portability, rectification). Requests must be forwarded to privacy@exactsolutions.pl. The Processor will respond within 5 business days.

The Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of a Personal Data breach involving the Controller's data. Notification will be sent to the registered email address of the Controller's account.

Upon termination of the Seller Agreement, the Processor shall at the Controller's choice return or delete all Personal Data, unless retention is required by applicable law (e.g., financial records retained for 7 years). The Controller may request a data export in CSV format at any time.

The Controller has the right to audit the Processor's compliance with this DPA upon 30 days' written notice. Audits may be conducted by the Controller or an independent third party agreed with the Processor. The cost of audits is borne by the Controller unless a material breach is found.