Data Processing Agreement

1. Introduction and Scope

1.1 Parties

This DPA is entered into by and between Pixellab LLC, doing business as MerchantOps ("MerchantOps," "Processor," "we," "us," or "our") and the entity agreeing to the MerchantOps Terms of Service ("Client," "Controller," "you," or "your").

1.2 Incorporation

This DPA supplements and is incorporated into the MerchantOps Terms of Service (the "Agreement"). This DPA applies when MerchantOps processes Personal Data on behalf of Client in connection with the MerchantOps platform and services (the "Service").

1.3 Applicable Law

This DPA addresses data protection requirements under applicable U.S. federal and state privacy laws, including but not limited to:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Other applicable U.S. state privacy laws
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
• Applicable Canadian provincial privacy laws (e.g., Quebec Law 25, PIPA Alberta, PIPA BC)

1.4 Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. In the event of a conflict between this DPA and a separately executed data processing agreement between the parties, the separately executed agreement shall prevail.

2. Definitions

For purposes of this DPA:

• "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Controller"(or "Business" under CCPA) means the entity that determines the purposes and means of Processing Personal Data.
• "Processor"(or "Service Provider" under CCPA) means the entity that Processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by MerchantOps to Process Personal Data on behalf of Client.
• "Data Subject"(or "Consumer" under applicable law) means an identified or identifiable individual to whom Personal Data relates.
• "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data that compromises the security, confidentiality, or integrity of such data.
• "Client Data" means all data, including Personal Data, that Client uploads, submits, or transmits to the Service.

3. Roles and Responsibilities

3.1 Client as Controller

Client acknowledges and agrees that:

• Client is the Controller of Personal Data submitted to the Service
• Client determines the purposes and means of Processing Personal Data
• Client is responsible for the lawfulness of collecting and providing Personal Data to MerchantOps
• Client is responsible for providing any required notices and obtaining any required consents from Data Subjects
• Client is responsible for the accuracy, quality, and legality of Personal Data

3.2 MerchantOps as Processor

MerchantOps acknowledges and agrees that:

• MerchantOps acts as a Processor of Personal Data on behalf of Client
• MerchantOps will Process Personal Data only in accordance with Client's documented instructions
• MerchantOps will not sell Personal Data or use it for purposes other than providing the Service
• MerchantOps will not retain, use, or disclose Personal Data for any purpose other than performing the Service
• MerchantOps will not combine Personal Data with data from other sources except as necessary to provide the Service

3.3 Instructions

Client instructs MerchantOps to Process Personal Data to the extent necessary to: (a) provide, maintain, secure, and support the Service; (b) comply with Client's instructions communicated through the Service or in writing; and (c) comply with applicable law. MerchantOps will inform Client if, in its opinion, an instruction violates applicable data protection law.

4. Sub-processors

4.1 Authorization

Client authorizes MerchantOps to engage Sub-processors to Process Personal Data on Client's behalf, subject to the requirements of this Section 4. A current list of Sub-processors is available in Annex C.

4.2 Sub-processor Agreements

MerchantOps will enter into written agreements with each Sub-processor that impose data protection obligations no less protective than those in this DPA. MerchantOps remains liable for the acts and omissions of its Sub-processors.

4.3 Changes to Sub-processors

MerchantOps will notify Client at least thirty (30) days before engaging a new Sub-processor by updating the Sub-processor list and providing notice via email to the account contact. Client may object to a new Sub-processor on reasonable data protection grounds by providing written notice within fifteen (15) days of receiving notification.

4.4 Objection Process

If Client objects to a new Sub-processor, the parties will work in good faith to find a mutually acceptable resolution. If no resolution is reached within thirty (30) days, Client may terminate the affected Service by providing written notice, and MerchantOps will refund any prepaid fees for the terminated portion of the Service.

5. Security Measures

5.1 Security Program

MerchantOps maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of Personal Data. The program includes the technical and organizational measures described in Annex B.

5.2 Security Measures

MerchantOps implements and maintains appropriate security measures, including:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Access controls and authentication mechanisms
• Network security, including firewalls and intrusion detection
• Regular vulnerability assessments and penetration testing
• Secure software development practices
• Physical security for data center facilities
• Business continuity and disaster recovery procedures

5.3 Personnel

MerchantOps ensures that personnel authorized to Process Personal Data are bound by confidentiality obligations, receive appropriate training on data protection requirements, and access Personal Data only as necessary to perform their duties.

5.4 Security Updates

MerchantOps may update its security measures from time to time, provided that such updates do not materially decrease the overall level of protection for Personal Data.

6. Data Subject Rights

6.1 Assistance

MerchantOps will provide reasonable assistance to Client in responding to requests from Data Subjects to exercise their rights under applicable privacy laws, including rights of access, correction, deletion, and data portability.

6.2 Requests Received by MerchantOps

If MerchantOps receives a request directly from a Data Subject regarding Personal Data Processed on behalf of Client, MerchantOps will promptly notify Client and will not respond to the request except to acknowledge receipt and advise the Data Subject that Client is the Controller, unless required by applicable law.

6.3 Service Functionality

The Service provides Client with the ability to access, export, and delete Client Data, including Personal Data. Client may use these features to respond to Data Subject requests.

7. Security Incidents

7.1 Notification

MerchantOps will notify Client of any Security Incident without undue delay and in no event later than seventy-two (72) hours after becoming aware of the incident. Notification will be provided to the email address associated with Client's account and, where appropriate, through the Service.

7.2 Notification Contents

Security Incident notifications will include, to the extent known:

• A description of the nature of the Security Incident
• The categories and approximate number of Data Subjects affected
• The categories and approximate amount of Personal Data involved
• The likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident
• Contact information for MerchantOps personnel handling the incident

7.3 Cooperation

MerchantOps will cooperate with Client in investigating and remediating any Security Incident and will provide reasonable assistance to Client in meeting any legal notification obligations.

7.4 Limitations

MerchantOps' notification of or response to a Security Incident shall not be construed as an acknowledgment of fault or liability. Client remains responsible for determining whether to notify Data Subjects or regulators.

8. Audits and Assessments

8.1 Audit Reports

Upon Client's written request, and no more than once per year, MerchantOps will provide Client with copies of relevant third-party audit reports, certifications, or summaries that demonstrate compliance with this DPA. Such reports may include SOC 2 Type II reports or equivalent assessments.

8.2 Additional Audits

If Client reasonably determines that third-party reports are insufficient to verify compliance, Client may request an additional audit upon at least thirty (30) days' written notice. Such audits shall:

• Be limited to one on-site inspection per calendar year
• Be conducted during normal business hours with minimal disruption
• Be performed by Client or a mutually agreed third-party auditor
• Be at Client's expense, unless the audit reveals material non-compliance
• Be subject to reasonable confidentiality requirements

8.3 Regulatory Audits

MerchantOps will provide reasonable cooperation and assistance to Client in responding to audits or inquiries by data protection authorities or regulators regarding the Processing of Personal Data under this DPA.

9. Data Retention and Deletion

9.1 Retention During Service

MerchantOps will retain Personal Data for the duration of the Agreement and as necessary to provide the Service. Client may delete Personal Data at any time using the functionality provided in the Service.

9.2 Deletion Upon Termination

Upon termination or expiration of the Agreement, MerchantOps will delete all Personal Data within thirty (30) days, except as required to:

• Comply with applicable law or legal process
• Resolve disputes or enforce agreements
• Maintain records required for audit or compliance purposes

9.3 Backup Retention

Personal Data retained in backups created in the ordinary course of business will be deleted in accordance with MerchantOps' standard backup retention schedules, typically within ninety (90) days.

9.4 Certification

Upon Client's written request, MerchantOps will provide written certification of the deletion of Personal Data.

10. CCPA-Specific Provisions

To the extent the California Consumer Privacy Act (CCPA) applies to the Processing of Personal Data under this DPA:

10.1 Service Provider Status

MerchantOps is a "Service Provider" as defined by the CCPA. MerchantOps is prohibited from:

• Selling or sharing Personal Data
• Retaining, using, or disclosing Personal Data for any purpose other than performing the Service
• Retaining, using, or disclosing Personal Data outside the direct business relationship with Client
• Combining Personal Data with data from other sources, except as permitted by the CCPA

10.2 Certification

MerchantOps certifies that it understands and will comply with the restrictions set forth in Section 10.1.

10.3 Consumer Rights

MerchantOps will assist Client in responding to consumer requests to know, delete, correct, or opt out, as required by the CCPA, including providing information about Personal Data Processed on behalf of Client.

11. Canadian Privacy Provisions

To the extent PIPEDA or applicable Canadian provincial privacy laws apply to the Processing of Personal Data under this DPA:

11.1 Accountability

MerchantOps acknowledges that Client remains accountable for Personal Data transferred to MerchantOps for Processing and will use contractual and other means to provide comparable protection while the data is being processed.

11.2 Safeguards

MerchantOps will protect Personal Data with security safeguards appropriate to the sensitivity of the information, in accordance with PIPEDA Principle 4.7.

11.3 Access and Correction

MerchantOps will assist Client in responding to individual access and correction requests in accordance with PIPEDA requirements.

11.4 Quebec Law 25

For Personal Data of Quebec residents, MerchantOps will comply with applicable requirements of Quebec's Act respecting the protection of personal information in the private sector (Law 25), including privacy impact assessment cooperation and incident notification requirements.

12. Liability

12.1 Liability Cap

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

12.2 Sub-processor Liability

MerchantOps is liable for the acts and omissions of its Sub-processors to the same extent it would be liable if performing the services directly, subject to the limitations in the Agreement.

13. Modifications

MerchantOps may modify this DPA from time to time to reflect changes in applicable law or our data processing practices. We will provide at least thirty (30) days' notice of material changes. Client's continued use of the Service after the effective date of modifications constitutes acceptance of the modified DPA.

14. Contact

For questions about this DPA or to exercise rights under this DPA, contact:

Annex A: Processing Details

A.1 Subject Matter and Duration

MerchantOps Processes Personal Data to provide the Service as described in the Agreement. Processing continues for the duration of the Agreement.

A.2 Nature and Purpose of Processing

MerchantOps Processes Personal Data to provide AI-powered product enrichment, data management, and operational automation services for retail and commerce organizations. Processing activities include:

• Storage and organization of product data uploaded by Client
• Automated data enrichment using AI and web search capabilities
• Data mapping and transformation
• Integration with third-party platforms designated by Client
• Generating analytics and reports for Client
• Providing customer support

A.3 Categories of Data Subjects

• Client's employees and authorized users
• Individuals whose information is included in Client Data (e.g., product contacts, vendor contacts)

A.4 Categories of Personal Data

• Account Information: Names, email addresses, job titles, phone numbers
• Authentication Data: Passwords (hashed), session tokens
• Usage Data: IP addresses, device information, access logs
• Client Data: Any Personal Data included in product data, catalogs, or other content uploaded by Client
• Communications: Support tickets, chat messages, emails

A.5 Sensitive Personal Data

The Service is not designed to Process sensitive Personal Data (e.g., health information, financial account numbers, government identifiers). Client should not submit sensitive Personal Data to the Service.

A.6 Retention Period

Personal Data is retained for the duration of the Agreement and deleted within thirty (30) days of termination, except as otherwise provided in this DPA.

Annex B: Technical and Organizational Measures

MerchantOps implements the following technical and organizational measures to protect Personal Data:

B.1 Access Control

• Role-based access controls limiting access to Personal Data
• Multi-factor authentication for administrative access
• Unique user credentials for all personnel
• Regular access reviews and prompt revocation upon termination
• Principle of least privilege

B.2 Encryption

• TLS 1.2 or higher for data in transit
• AES-256 encryption for data at rest
• Secure key management practices

B.3 Network Security

• Firewalls and network segmentation
• Intrusion detection and prevention systems
• DDoS mitigation
• Regular vulnerability scanning

B.4 Application Security

• Secure software development lifecycle (SDLC)
• Code reviews and security testing
• Regular penetration testing by third parties
• Prompt patching of known vulnerabilities

B.5 Physical Security

• Data hosted in SOC 2 certified cloud infrastructure (AWS/GCP)
• Physical access controls at data center facilities
• Environmental controls (fire suppression, climate control, power backup)

B.6 Operational Security

• Security awareness training for all personnel
• Background checks for personnel with access to Personal Data
• Incident response procedures
• Business continuity and disaster recovery plans
• Regular backups with tested restoration procedures

B.7 Monitoring and Logging

• Centralized logging of security-relevant events
• Log retention for security analysis
• Alerting on suspicious activity
• Regular log reviews

Annex C: Sub-processors

MerchantOps uses the following Sub-processors to provide the Service:

This list was last updated on December 16, 2025. MerchantOps will update this list and provide notice in accordance with Section 4.3 when engaging new Sub-processors.