# Data Processing Agreement (DPA)

**Template for Business Customers**

---

## PARTIES

**Data Controller ("Controller"):**
[Business Customer Name]
[Address]
[Registration Number]

**Data Processor ("Processor"):**
Nova AI Ventures, trading as SnapSell AI
Registered in Poland
Email: privacy@snap-sell.app

**Effective Date:** [Date]

---

## RECITALS

WHEREAS:

A. The Controller wishes to use SnapSell AI services for marketplace listing creation and management;

B. The provision of these services requires the Processor to process personal data on behalf of the Controller;

C. The Parties wish to ensure that such processing complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Polish data protection laws;

NOW THEREFORE, the Parties agree as follows:

---

## 1. DEFINITIONS

**1.1** "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.

**1.2** "Processing" means any operation performed on Personal Data as defined in Article 4(2) GDPR.

**1.3** "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

**1.4** "Subprocessor" means any processor engaged by the Processor to process Personal Data on behalf of the Controller.

**1.5** "Services" means the SnapSell AI services provided under the main service agreement.

**1.6** "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

---

## 2. SCOPE AND PURPOSE

**2.1 Subject Matter**
This Agreement governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of SnapSell AI services.

**2.2 Nature and Purpose of Processing**
The Processor will process Personal Data for the following purposes:
- AI photo enhancement and processing
- Listing creation and management
- Multi-platform listing synchronization
- AI-generated content creation
- Analytics and service improvement

**2.3 Types of Personal Data**
The following categories of Personal Data may be processed:
- Seller account information (name, email, contact details)
- Product photographs and content
- Listing information (titles, descriptions, prices)
- Buyer contact information (when facilitating sales)
- Transaction and order data

**2.4 Categories of Data Subjects**
- Controller's employees using the platform
- Controller's customers (buyers)
- Third parties appearing in uploaded content

**2.5 Duration**
Processing will continue for the duration of the main service agreement plus any retention period required by law.

---

## 3. CONTROLLER OBLIGATIONS

**3.1** The Controller warrants that:

(a) It has the legal right to disclose Personal Data to the Processor;

(b) It has provided appropriate notices and obtained necessary consents from Data Subjects;

(c) Its instructions to the Processor will comply with applicable data protection laws;

(d) It has assessed the appropriateness of the security measures provided by the Processor.

**3.2** The Controller shall:

(a) Provide documented instructions for processing;

(b) Ensure compliance with GDPR in respect of Personal Data transferred to the Processor;

(c) Notify the Processor promptly of any changes to applicable data protection laws affecting processing.

---

## 4. PROCESSOR OBLIGATIONS

**4.1 Processing Instructions**

(a) The Processor shall process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or Member State law.

(b) The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other data protection laws.

**4.2 Confidentiality**

(a) The Processor shall ensure that persons authorized to process Personal Data have committed to confidentiality or are under statutory confidentiality obligations.

(b) The Processor shall not disclose Personal Data to third parties except as permitted by this Agreement or with Controller's prior written consent.

**4.3 Security Measures**

(a) The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

| Measure | Description |
|---------|-------------|
| Encryption | Data encrypted at rest (AES-256) and in transit (TLS 1.2+) |
| Access Control | Role-based access, multi-factor authentication |
| Pseudonymization | Where appropriate for processing purposes |
| Availability | Redundant systems, regular backups |
| Testing | Regular security assessments and penetration testing |

(b) The Processor shall document its security measures in Annex A (Security Measures).

**4.4 Subprocessing**

(a) The Controller provides general authorization for the Processor to engage Subprocessors listed in Annex B (Subprocessor List).

(b) The Processor shall notify the Controller of any intended changes to Subprocessors at least 30 days in advance, allowing the Controller to object.

(c) The Processor shall ensure Subprocessor contracts impose equivalent data protection obligations.

(d) The Processor remains fully liable for Subprocessor compliance.

**4.5 Data Subject Rights**

(a) The Processor shall assist the Controller in responding to Data Subject requests to exercise their rights under GDPR Articles 15-22.

(b) The Processor shall promptly notify the Controller of any Data Subject request received directly.

(c) The Processor shall not respond to Data Subject requests directly except as instructed by the Controller.

**4.6 Security Incidents**

(a) The Processor shall notify the Controller of any Security Incident without undue delay, and no later than 24 hours after becoming aware.

(b) Notification shall include:
- Description of the incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Contact point for further information
- Description of likely consequences
- Description of measures taken or proposed

(c) The Processor shall cooperate with the Controller in investigating and remediating Security Incidents.

**4.7 Data Protection Impact Assessments**

The Processor shall assist the Controller with Data Protection Impact Assessments and prior consultations with supervisory authorities as required under GDPR Articles 35 and 36.

**4.8 Audit Rights**

(a) The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement.

(b) The Processor shall allow and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality requirements.

(c) Audits shall be conducted during normal business hours with minimal disruption.

---

## 5. INTERNATIONAL DATA TRANSFERS

**5.1** Personal Data may be transferred to countries outside the EEA only where appropriate safeguards are in place:

| Transfer Mechanism | Application |
|-------------------|-------------|
| EU-US Data Privacy Framework | For US-based Subprocessors certified under DPF |
| Standard Contractual Clauses | For other third-country transfers |
| Adequacy Decision | For countries with EU adequacy finding |

**5.2** Current third-country transfers:

| Subprocessor | Country | Mechanism |
|--------------|---------|-----------|
| Google Cloud | USA | EU-US Data Privacy Framework |
| Stripe | USA | EU-US DPF + SCCs |

**5.3** The Processor shall notify the Controller of any new third-country transfers and ensure appropriate safeguards are in place before transfer.

---

## 6. DATA RETENTION AND DELETION

**6.1** Upon termination of the main service agreement, or upon Controller's request, the Processor shall:

(a) Return all Personal Data to the Controller in a structured, commonly used format; and/or

(b) Delete all Personal Data and certify such deletion in writing.

**6.2** The Processor may retain Personal Data where required by EU or Member State law, subject to confidentiality obligations.

**6.3** Retention periods for specific data categories are set out in Annex C (Data Retention Schedule).

---

## 7. LIABILITY AND INDEMNIFICATION

**7.1** Each Party shall be liable for damages caused by processing that infringes GDPR to the extent provided in GDPR Article 82.

**7.2** The Processor shall indemnify the Controller for any fines, penalties, or damages arising from the Processor's breach of this Agreement or GDPR.

**7.3** Liability caps in the main service agreement apply to this Agreement, except that:
(a) No cap applies to liability for intentional misconduct or gross negligence;
(b) No cap applies to regulatory fines to the extent prohibited by law.

---

## 8. TERM AND TERMINATION

**8.1** This Agreement shall remain in effect for the duration of the main service agreement.

**8.2** This Agreement automatically terminates upon termination of the main service agreement.

**8.3** Obligations regarding data return/deletion, confidentiality, and liability survive termination.

---

## 9. GENERAL PROVISIONS

**9.1 Governing Law**
This Agreement is governed by the laws of Poland and the GDPR.

**9.2 Jurisdiction**
Disputes shall be resolved by the courts of Warsaw, Poland, without prejudice to Data Subjects' rights to lodge complaints with supervisory authorities.

**9.3 Amendments**
This Agreement may only be amended in writing signed by both Parties.

**9.4 Severability**
If any provision is found invalid, the remaining provisions remain in full force.

**9.5 Entire Agreement**
This Agreement, together with its Annexes, constitutes the entire data processing agreement between the Parties.

**9.6 Precedence**
In case of conflict between this Agreement and the main service agreement regarding data protection matters, this Agreement prevails.

---

## SIGNATURES

**For the Controller:**

Name: _______________________
Title: _______________________
Date: _______________________
Signature: _______________________

**For the Processor (Nova AI Ventures):**

Name: _______________________
Title: _______________________
Date: _______________________
Signature: _______________________

---

## ANNEX A: SECURITY MEASURES

### Technical Measures

| Category | Measure |
|----------|---------|
| **Encryption** | AES-256 at rest, TLS 1.3 in transit |
| **Access Control** | RBAC, MFA for admin access |
| **Network Security** | Firewall, DDoS protection, VPC isolation |
| **Application Security** | OWASP controls, input validation, CSP headers |
| **Monitoring** | Intrusion detection, log aggregation, alerting |
| **Backup** | Daily automated backups, 30-day retention |

### Organizational Measures

| Category | Measure |
|----------|---------|
| **Personnel** | Background checks, confidentiality agreements |
| **Training** | Annual security awareness training |
| **Access Management** | Quarterly access reviews, need-to-know basis |
| **Incident Response** | Documented response plan, tested annually |
| **Vendor Management** | DPA requirements, security assessments |

---

## ANNEX B: APPROVED SUBPROCESSORS

| Subprocessor | Services | Location | Transfer Mechanism |
|--------------|----------|----------|-------------------|
| Google Cloud Platform | Infrastructure, database, storage | Belgium (EU), USA | EU-US DPF |
| Google Gemini | AI processing | USA | EU-US DPF |
| Firebase | Authentication, hosting | Belgium (EU), USA | EU-US DPF |
| Stripe | Payment processing | Ireland (EU), USA | EU-US DPF + SCCs |

**Notification of Changes:**
Controller will be notified 30 days before any Subprocessor change at the email address on file.

---

## ANNEX C: DATA RETENTION SCHEDULE

| Data Category | Retention Period | Legal Basis |
|---------------|------------------|-------------|
| Account information | Duration of service + 30 days | Contract |
| Listing content | Until deleted or service termination | Contract |
| Transaction records | 7 years | Legal obligation |
| Support communications | 3 years | Legitimate interest |
| Server logs | 90 days | Security |

---

## ANNEX D: CONTROLLER INSTRUCTIONS

The Controller instructs the Processor to process Personal Data for the following purposes:

1. Provide SnapSell AI platform services as described in the service agreement
2. Process product photographs using AI enhancement
3. Generate listing content using AI
4. Synchronize listings to connected external marketplaces
5. Process transactions and maintain records
6. Provide customer support
7. Maintain platform security
8. Generate anonymized analytics for service improvement

Additional instructions must be provided in writing to privacy@snap-sell.app.

---

*This Data Processing Agreement is part of SnapSell AI's GDPR compliance documentation.*