Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

• "Data Controller" or "Merchant": the entity or individual who has subscribed to the NutraCheckout platform and on whose behalf personal data is processed
• "Data Processor": NutraCheckout, Inc., a corporation organized under the laws of Delaware, USA

This DPA forms an integral part of the Terms of Service and applies to the processing of personal data of end customers of the Merchant when such data is processed through the NutraCheckout platform. This DPA incorporates the European Commission's Standard Contractual Clauses (SCCs) for international data transfers as an annex.

The following terms shall have the meanings ascribed to them in Article 4 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

• Personal Data: any information relating to an identified or identifiable natural person
• Processing: any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or erasure
• Data Subject: an identified or identifiable natural person whose personal data is processed
• Data Controller: the entity that determines the purposes and means of processing personal data
• Data Processor: the entity that processes personal data on behalf of the Data Controller
• Sub-processor: a third party engaged by the Data Processor to process personal data
• Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data

Where applicable, references to CCPA definitions (as defined in the California Consumer Privacy Act) shall also apply.

• Subject matter: processing of payments and related checkout services through the NutraCheckout platform
• Nature and purpose: to facilitate e-commerce transactions, prevent fraud, and provide analytics and reporting
• Categories of data subjects: end customers of the Merchant who interact with checkout pages powered by NutraCheckout
• Types of personal data: name, email address, billing address, shipping address, transaction details (amount, date, status, items purchased), and device data
• Duration: for the term of the service agreement, plus any applicable legal retention periods

NutraCheckout, as Data Processor, shall:

• Process personal data only in accordance with the documented instructions of the Data Controller
• Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations
• Implement and maintain appropriate technical and organizational measures in accordance with Article 32 of the GDPR
• Not engage any sub-processor without the prior general or specific written authorization of the Data Controller
• Assist the Data Controller in fulfilling its obligations to respond to data subject rights requests
• Assist the Data Controller in conducting Data Protection Impact Assessments (DPIAs) where required
• Delete or return all personal data to the Data Controller upon termination of the service agreement, at the Controller's election
• Make available all information necessary to demonstrate compliance with the obligations set forth in this DPA
• Permit and contribute to audits, including inspections, conducted by the Data Controller or an auditor mandated by the Controller

NutraCheckout currently engages the following sub-processors:

The Data Controller will be notified prior to any addition or replacement of sub-processors. The Controller shall have fourteen (14) days from the date of notification to raise an objection. NutraCheckout ensures that all sub-processors are bound by obligations no less protective than those set forth in this DPA.

NutraCheckout implements the following technical and organizational security measures:

• Encryption: AES-256 at rest; TLS 1.3 in transit
• Access controls: role-based access (RBAC) with the principle of least privilege
• Monitoring: 24/7 security monitoring and logging via SIEM
• Testing: quarterly penetration testing and continuous vulnerability assessments
• Incident response: documented response plan with a dedicated security team
• Business continuity: daily backups with disaster recovery plan (RPO: 1 hour, RTO: 4 hours)
• Physical security: data centers are SOC 2 certified with 24/7 physical security
• Employee training: mandatory annual security awareness training

In the event of a personal data breach, NutraCheckout will:

• Notify the Data Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach
• Provide detailed information including: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
• Designate the Data Protection Officer (dpo@nutracheckout.com) as the primary point of contact
• Cooperate with the Data Controller in communicating the breach to affected data subjects where required
• Document all breaches, regardless of severity, in an internal breach register

Personal data may be transferred to and processed in the United States of America. NutraCheckout ensures lawful international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated as an annex to this DPA
• Participation in the EU-US Data Privacy Framework
• Transfer Impact Assessments conducted in accordance with the principles established in Schrems II
• Supplementary technical and organizational measures to ensure an equivalent level of data protection

NutraCheckout will assist the Merchant in fulfilling its obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. NutraCheckout will respond to assistance requests within five (5) business days.

End customers who wish to exercise their data subject rights should be directed to the applicable Merchant in the first instance, as the Merchant acts as the Data Controller for their personal data.

The Data Controller may audit NutraCheckout's compliance with this DPA, subject to the following terms:

• At least thirty (30) days' prior written notice is required
• NutraCheckout will make available SOC 2 Type II reports and relevant certifications as an alternative to physical audits where practicable
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt NutraCheckout's operations
• Reasonable costs of the audit shall be borne by the Data Controller

For the purposes of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), NutraCheckout acts as a "Service Provider" as defined therein. In this capacity:

• NutraCheckout does NOT sell or share Personal Information as defined under the CCPA
• NutraCheckout does NOT retain, use, or disclose Personal Information outside the direct business relationship with the Merchant
• NutraCheckout does NOT combine Personal Information received from or on behalf of the Merchant with Personal Information from other sources, except as necessary to provide the contracted services

This DPA shall remain in effect for the duration of the Terms of Service. Data protection obligations set forth in this DPA shall survive the termination of the service agreement. Upon termination, NutraCheckout will delete or return all personal data within thirty (30) days, at the Controller's election, except where retention is required by applicable law.

For questions about this DPA or our data processing practices, please contact: