Data Processing Agreement

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person processed through the Service.
• “Processing” means any operation performed on Personal Data (collection, storage, retrieval, use, disclosure, erasure).
• “Sub-processor” means any third party engaged by NovoVendi to process Personal Data on behalf of the Customer.
• “Data Breach” means any unauthorized access to, or disclosure, alteration, or destruction of, Personal Data.

2. Scope of Processing

NovoVendi processes the following categories of Personal Data on behalf of the Customer:

• Store operational data: WooCommerce settings, plugin configurations, commerce metrics
• Order metadata: Order counts, revenue aggregates, and incidental customer data contained in order line items
• Team member data: Email addresses and roles of users invited to the Customer's NovoVendi account

Processing is carried out solely to provide the Service as described in the Terms of Service.

3. Obligations of the Data Processor

NovoVendi shall:

• Process Personal Data only on documented instructions from the Customer
• Ensure that persons authorized to process Personal Data are bound by obligations of confidentiality
• Implement appropriate technical and organizational measures to ensure security of processing
• Not engage another processor without prior written authorization of the Customer
• Assist the Customer in responding to data subject access requests
• Delete or return all Personal Data upon termination of the Service, at the Customer's choice
• Make available all information necessary to demonstrate compliance with GDPR obligations

4. Sub-processors

NovoVendi maintains a list of approved sub-processors on our Sub-processors page. The Customer will be notified of any changes to sub-processors with at least 30 days' prior notice.

5. International Data Transfers

Where Personal Data is transferred outside the European Economic Area, NovoVendi ensures that appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.

6. Data Breach Notification

NovoVendi shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Data Breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

7. Security Measures

NovoVendi implements the following security measures:

• Encryption of passwords (bcrypt, cost factor 12)
• API credentials never exposed in application responses
• TLS encryption for all data in transit
• Rate limiting on authentication and API endpoints
• SSRF protection and Content Security Policy headers
• Role-based access control with 24 granular permissions
• Comprehensive audit logging of all administrative actions
• Input validation using schema-based validation (Zod)

8. Data Subject Rights

NovoVendi shall assist the Customer in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection) through the self-service tools provided in the platform (data export and account deletion) and upon reasonable request.

9. Audit Rights

The Customer or a mandated auditor may conduct audits to verify NovoVendi's compliance with this DPA. Audits shall be conducted with reasonable advance notice (at least 30 days) and during normal business hours. NovoVendi shall cooperate fully and provide access to relevant documentation and facilities.

10. Duration & Termination

This DPA shall remain in effect for the duration of the Service agreement. Upon termination, NovoVendi shall delete all Personal Data within 30 days unless retention is required by applicable law. The Customer may request immediate deletion through the account deletion feature.

11. Contact

To request a signed copy of this DPA or discuss data processing matters, contact:

privacy@novovendi.com