Data Processing Addendum (DPA)

01 Definitions

"Data Protection Laws" means all applicable laws and regulations, including the GDPR, UK GDPR, and the California Consumer Privacy Act (CCPA).

"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.

"Service Data" means first-party Amazon data exports, product specifications, and other business data provided by the Controller to enable delivery of the listing rebuild service.

"Sub-processor" means any third party appointed by the Processor to process Personal Data.

02 Subject Matter and Duration

Subject Matter:

The processing covers the handling of application data, first-party Amazon data exports (provided directly by the Controller), and product information supplied by the Controller, for the sole purpose of producing listing strategy and content deliverables under the AI-Native Listing Rebuild service. No access to the Controller's Amazon Seller Central account or third-party APIs is sought or used.

Duration:

Processing continues for the duration of the service engagement, plus a retention period of up to 12 months following final delivery, after which all Personal Data is deleted or returned in accordance with Section 8.

03 Roles and Instructions

Roles:

The Controller is the Amazon seller engaging the service. The Processor is Scalerify Management LLC, acting as a content and strategy service provider.

Instructions:

Processor shall process Personal Data only on documented instructions from the Controller. Processing is limited to what is necessary to deliver the agreed listing deliverables.

No Autonomous Processing:

The Processor does not deploy automated decision-making systems that act on the Controller's behalf within any third-party platform. All deliverables are documents; implementation is performed by the Controller.

04 Technical and Organizational Measures

Processor has implemented appropriate security measures for a document-based service provider, including:

• Access Control: Project files are accessible only to personnel directly involved in delivering the specific engagement.
• Encryption: Data in transit is protected using industry-standard TLS encryption. Files at rest are stored on encrypted cloud infrastructure.
• Data Minimization: Only data strictly necessary to complete the deliverables is collected and retained.
• No Credential Storage: No Amazon Seller Central login credentials or platform API keys are ever requested, transmitted, or stored.

05 Sub-processing

Controller grants a general authorization to Processor to use the following categories of Sub-processors, each bound by data protection obligations consistent with this Addendum:

• Form submission provider (e.g., Formspree or equivalent) — for receiving application data.
• Cloud storage provider (e.g., Google Drive, Notion, or equivalent) — for project file management during delivery.
• Email provider — for service communications and delivery.
• Analytics provider (Google Analytics 4, consent-gated) — for aggregated website analytics only; no project or business data is shared.

Processor will notify Controller of any intended material changes to the Sub-processor list.

06 Data Subject Rights

Processor shall, insofar as possible, assist the Controller in fulfilling obligations to respond to requests from individuals exercising their rights (e.g., right of access, rectification, deletion) under applicable Data Protection Laws.

07 Personal Data Breach

Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. Processor will provide sufficient information to allow Controller to meet any applicable reporting obligations.

08 Deletion or Return of Data

Upon termination of the Services or at the Controller's written request, Processor shall delete or return all Personal Data and Service Data to the Controller within a reasonable timeframe, unless applicable law requires longer storage. Standard retention following final delivery is 12 months.

09 CCPA Specific Provisions (California)

To the extent the CCPA applies, Processor confirms it is a "Service Provider." Processor shall not sell or share Personal Data and shall not retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing the Services specified in the Agreement.

10 Governing Law

This Addendum shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles.