Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose

The Processor processes Personal Data solely to provide the RunOpSync platform services, including:

• Syncing product, order, and customer data from connected e-commerce platforms (Shopify, Amazon, Noon)
• Managing entity, employee, and compliance data for business operations
• Processing payroll data and generating WPS files
• Generating analytics, reports, and forecasts
• Sending transactional emails and notifications

3. Categories of Personal Data

4. Obligations of the Processor

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organizational measures to ensure security of processing
• Not engage another processor without prior written authorization of the Controller
• Assist the Controller in responding to data subject requests
• Delete or return all Personal Data upon termination of the agreement, at the Controller's choice
• Make available to the Controller all information necessary to demonstrate compliance

5. Security Measures

The Processor implements the following security measures:

• Encryption: TLS 1.3 in transit; AES-256 at rest (database encryption)
• Authentication: bcrypt password hashing (cost factor 12); JWT session tokens
• Access Control: Role-based access control (RBAC) with 5 permission levels
• Infrastructure: Database hosted on Neon (AWS EU Frankfurt); Application hosted on Vercel (edge network)
• API Security: Third-party API tokens stored as encrypted environment variables, never in database
• Audit Logging: All data mutations recorded with timestamp, user, and action
• Data Minimization: Only data necessary for service delivery is collected and processed

6. Sub-processors

The Controller authorizes the use of the following sub-processors:

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

7. Data Breach Notification

• The Processor shall notify the Controller without undue delay and within 48 hours of becoming aware of a Data Breach
• Notification shall include: nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, and measures taken to address the breach
• The Processor shall cooperate with the Controller and take reasonable steps to mitigate the effects of the breach
• The Controller is responsible for notifying relevant supervisory authorities and data subjects as required by applicable law (GDPR: 72 hours; PIPEDA: as soon as feasible; UAE PDPL: per regulations)

8. Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests, including:

• Access requests: The Controller can export all data via the platform's Data Export feature
• Deletion requests: The Controller can delete customer data via the platform's Data Deletion feature, or by contacting the Processor
• Correction requests: The Controller can modify data directly within the platform
• The Processor shall respond to assistance requests within 10 business days

9. Cross-Border Transfers

• Primary data storage is in the European Union (Frankfurt)
• Application processing occurs on Vercel's global edge network
• For transfers outside the EU/EEA, the Processor relies on Standard Contractual Clauses (SCCs) with sub-processors
• For Canadian Personal Data, transfers comply with PIPEDA's requirements and OPC guidance on cross-border transfers
• For UAE Personal Data, transfers comply with UAE PDPL cross-border transfer requirements

10. Data Retention and Deletion

• Personal Data is retained for the duration of the service agreement
• Upon termination, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law
• The Controller may request data export before deletion via the platform's export feature
• Audit logs are retained for 12 months after termination for compliance purposes
• Backups containing Personal Data are purged within 90 days of deletion

11. Audits

• The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA
• The Controller may conduct audits, including inspections, with 30 days' written notice
• Audits shall be conducted during business hours and shall not unreasonably disrupt the Processor's operations
• The Controller shall bear its own costs of any audit

12. Liability

Each party's liability under this DPA is subject to the limitations set forth in the RunOpSync Terms of Service. The Processor's total aggregate liability for all claims arising from this DPA shall not exceed the fees paid by the Controller in the twelve (12) months preceding the claim.

13. Governing Law

This DPA is governed by the same law governing the RunOpSync Terms of Service. For matters specifically relating to data protection, the laws of the jurisdiction where the data subjects reside shall apply to the extent required by those laws.

14. Contact

Data Protection inquiries: privacy@runopsync.com

Legal inquiries: legal@runopsync.com