Data Processing Addendum.

"Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the GDPR (Regulation 2016/679). "Merchant Data" means all personal data that you, the merchant, collect from your customers through Cartly. "Account Data" means personal data related to your Cartly account.

Cartly acts as a Processor for merchant customer data (end-buyers of your store) and as a Controller for merchant account data. You, the merchant, are the Controller for all customer data you collect through your store.

We process personal data solely for the purpose of providing the Cartly platform services: order processing, payment handling, email notifications, analytics, and customer support. Processing is limited to what is necessary to fulfill the service agreement.

Data transfers outside the EEA are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914). We conduct transfer impact assessments for all subprocessors and maintain records of processing activities.

We implement technical and organizational measures including: encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, regular penetration testing, SOC 2 Type II audit, security monitoring, and incident response procedures. Full details are available in our Security Whitepaper.

In the event of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

You may audit our compliance with this DPA once per year with 30 days' written notice. Audits may be conducted by you or a qualified third-party auditor bound by confidentiality obligations. We will provide reasonable cooperation and access to relevant documentation.

Upon termination of the service agreement, we will delete all merchant data within 30 days from primary systems and within 90 days from backups. You may request a data export in machine-readable format before deletion. Deletion certificates are available upon request.

Each party's liability under this DPA is subject to the limitations set forth in the main Terms of Service. Where we act as Processor, we are liable only for processing that does not comply with the obligations specifically directed to Processors under GDPR Article 28.