Back to Home

Data Processing Agreement

Last updated: March 13, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Glosbits ("Processor") and you ("Controller") governing the processing of personal data.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.

2. Scope of Processing

2.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller to provide order management, inventory synchronization, and related e-commerce services.

2.2 Duration

Processing shall continue for the duration of the service agreement, plus any retention period required by law or agreed upon by the parties.

2.3 Nature and Purpose

The nature and purpose of processing includes:

  • Order management and fulfillment
  • Inventory tracking and synchronization
  • Customer data management
  • Analytics and reporting
  • API integrations with third-party platforms

2.4 Types of Personal Data

  • Customer names and contact information
  • Order details and transaction history
  • Shipping addresses
  • Payment information (processed through secure third-party processors)

2.5 Categories of Data Subjects

  • End customers of the Controller
  • Controller's employees and authorized users

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Engage Sub-processors only with prior authorization from the Controller
  • Assist the Controller in fulfilling its obligations to respond to Data Subject requests
  • Delete or return Personal Data upon termination of services, unless retention is required by law
  • Make available all information necessary to demonstrate compliance with this DPA

4. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and multi-factor authentication
  • Regular security assessments and penetration testing
  • Secure OAuth 2.0 authentication for API integrations
  • Token rotation and secure credential storage
  • Intrusion detection and monitoring systems
  • Regular backups with encryption
  • Incident response procedures

5. Sub-processors

The Processor may engage Sub-processors to assist in providing the Services. Current Sub-processors include:

  • Cloud infrastructure providers (AWS, Google Cloud)
  • Payment processors
  • Email service providers
  • Analytics services

The Processor shall inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.

6. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

7. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay (within 72 hours where feasible)
  • Provide details of the breach, including affected data and Data Subjects
  • Describe measures taken or proposed to address the breach
  • Cooperate with the Controller in any breach investigation

8. International Data Transfers

If Personal Data is transferred outside the EEA, the Processor shall ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Binding Corporate Rules
  • Other legally recognized transfer mechanisms

9. Audits

The Controller may audit the Processor's compliance with this DPA upon reasonable notice. The Processor shall cooperate with such audits and provide access to relevant documentation and facilities.

10. Liability

Each party shall be liable for damages caused by its breach of this DPA or applicable data protection laws. Limitations of liability in the main service agreement shall apply to this DPA.

11. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall return or delete Personal Data as instructed by the Controller, unless retention is required by law.

12. Contact

For questions about this Data Processing Agreement, please contact: