Capitalized terms used and not otherwise defined have the meanings given in the Terms. Additionally:

• “Applicable Privacy Law” means any law applicable to the Processing of Personal Data under this DPA, including the EU GDPR, the UK GDPR, the Swiss FADP, the CCPA, and other U.S. state privacy laws.
• “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and related terms have the meanings ascribed in Applicable Privacy Law. Under the CCPA, “Controller” corresponds to “Business” and “Processor” corresponds to “Service Provider” or “Contractor.”
• “Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission under Decision (EU) 2021/914, and (ii) the UK Addendum to the SCCs issued by the UK Information Commissioner's Office.
• “Subprocessor” means any third party engaged by Package Retriever to Process Personal Data on behalf of Merchant.

This DPA applies where Package Retriever Processes Personal Data on behalf of Merchant in the course of providing the Services. With respect to such Processing, Merchant is the Controller and Package Retriever is the Processor (or Service Provider). Where Merchant is itself a processor on behalf of a third-party controller, Merchant warrants it has the authority to appoint Package Retriever as a subprocessor on terms consistent with this DPA.

Subject matter. Provision of the Services.

Duration. The term of the Agreement plus the retention periods described in the Privacy Policy.

Nature and purpose. Processing Personal Data to deliver fulfillment, inventory, returns, analytics, reporting, wholesale marketplace, Rewards, and related services.

Types of Personal Data. Identifiers, customer records, commercial information, electronic activity, inferences, and (as limited in the Privacy Policy) sensitive personal information.

Categories of Data Subjects. Merchant's end customers, recipients of shipments, Merchant's authorized Users, and other individuals whose Personal Data Merchant submits to the Services.

Merchant represents and warrants that it has a valid legal basis for the Processing, has provided required notice to Data Subjects, and has obtained required consents. Merchant's instructions to Package Retriever will at all times comply with Applicable Privacy Law.

Package Retriever will Process Personal Data only on documented instructions from Merchant. The Agreement, including this DPA and any configuration choices Merchant makes, constitutes such instructions. Package Retriever will inform Merchant if, in its opinion, an instruction infringes Applicable Privacy Law.

Package Retriever ensures that persons authorized to Process Personal Data are under obligations of confidentiality.

Package Retriever implements the technical and organizational measures described in Annex A to ensure a level of security appropriate to the risk.

Merchant provides a general authorization for Package Retriever to engage Subprocessors listed on our Subprocessor List. Package Retriever will notify Merchant at least thirty (30) days before engaging a new Subprocessor that will materially change the Processing; Merchant may object on reasonable grounds related to data protection. Package Retriever imposes on each Subprocessor obligations equivalent to those in this DPA.

Taking into account the nature of the Processing, Package Retriever will assist Merchant by appropriate technical and organizational measures in responding to Data Subject requests to exercise their rights under Applicable Privacy Law.

Package Retriever will assist Merchant in ensuring compliance with obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of Processing and information available to Package Retriever.

Package Retriever will notify Merchant without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Merchant Personal Data, providing the information reasonably required for Merchant to fulfill its own notification obligations.

Upon termination of the Services, Merchant may request the deletion or return of its Personal Data (including export in a standard format) within thirty (30) days of termination. Thereafter, Package Retriever will delete or anonymize Merchant Personal Data, except for records Package Retriever is legally required to retain. Truly aggregated and de-identified data may be retained indefinitely.

On reasonable written request not more often than once per twelve (12)-month period (except in response to a material security incident), Package Retriever will make available information reasonably necessary to demonstrate compliance with this DPA, including SOC 2, ISO 27001, or equivalent third-party audit reports where available. Where required by Applicable Privacy Law, Merchant may conduct an audit at its expense, subject to confidentiality obligations and reasonable scheduling.

Where Package Retriever Processes Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland outside those jurisdictions, the SCCs (and UK Addendum as applicable) are incorporated by reference:

• Module applicable. Module Two (Controller-to-Processor) applies where Merchant is a Controller; Module Three (Processor-to-Processor) applies where Merchant is a processor on behalf of a third-party controller.
• Docking clause. Clause 7 applies.
• Subprocessing option. Clause 9 option 2 (general authorization) applies, with the thirty (30)-day notice period set out in Section 5.4.
• Redress. Clause 11 option A (independent dispute resolution) does not apply; Data Subjects may lodge complaints with the competent supervisory authority.
• Governing law / jurisdiction. Ireland / Irish courts for EU transfers; English law / English courts for UK transfers.
• Annex I (data exporter, data importer, competent authority). Merchant is the data exporter. Package Retriever, Inc. is the data importer. The competent authority is the authority of the Member State where the data exporter is established (or Ireland if exporter is not established in the EU).

With respect to Personal Data governed by the CCPA, Package Retriever is a “Service Provider” (or “Contractor,” as applicable) and:

• Will not sell or share the Personal Data;
• Will not retain, use, or disclose the Personal Data outside the direct business relationship with Merchant or for any purpose other than the business purpose of providing the Services (except as otherwise permitted under the CCPA);
• Will not combine the Personal Data with Personal Data received from other sources, except as permitted under 11 C.C.R. § 7050(b) to perform a business purpose;
• Will comply with applicable obligations under the CCPA and provide the same level of protection as required of a Business;
• Will notify Merchant if it determines it can no longer meet its obligations under the CCPA and permit Merchant to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

Liability under this DPA is subject to the limitations in the Terms, except that, as required by the SCCs, Package Retriever's liability to Data Subjects under the SCCs is as set out therein. Nothing in this DPA excludes or limits liability for a breach of the SCCs where such exclusion or limitation would be contrary to Applicable Privacy Law.

In the event of a conflict between this DPA and the Terms with respect to the Processing of Personal Data, this DPA controls. The SCCs control over this DPA with respect to Personal Data transferred from the EEA, UK, or Switzerland.

Package Retriever maintains the following measures (updated from time to time):

• Encryption. TLS 1.2+ in transit; encryption at rest for stored credentials, tokens, and sensitive fields; HMAC-hashed identity-graph identifiers.
• Access control. Role-based access control; least-privilege principle; multi-factor authentication for administrative access; periodic access reviews.
• Logging and monitoring. Access logs retained for auditability; anomaly detection on administrative events.
• Secure development. Code review, dependency scanning, secure-SDLC practices, and regular security testing.
• Vendor management. Written agreements, security diligence, and periodic review of Subprocessors.
• Incident response. Documented incident-response plan with defined roles, escalation paths, and notification procedures.
• Backup and resilience. Regular backups of production databases; documented disaster-recovery procedures.
• Personnel. Background screening where permitted; security awareness training on hire and annually; confidentiality agreements.
• Physical security. Data processed in physically secured data centers operated by our infrastructure Subprocessors.

Target assurance. Package Retriever is committed to obtaining SOC 2 Type II and/or ISO 27001 certification. Current status and reports are available on request under NDA.