Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of the Service, the Customer is the Controller.

• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to:
• EU General Data Protection Regulation (GDPR) 2016/679
• UK General Data Protection Regulation (UK GDPR)
• Swiss Federal Data Protection Act (FDPA)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Any successor or replacement legislation

• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed. In the context of the Service, Data Subjects are typically the end customers of the Customer's WooCommerce stores.

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by NovoVendi on behalf of the Customer through the Service, including but not limited to:
• Customer names and contact information (email addresses, phone numbers, shipping addresses)
• Order information and purchase history
• Payment information (to the extent accessible through WooCommerce APIs)
• IP addresses and browsing behavior (if collected by Customer's stores)
• Any other data entered into or accessed through the Customer's WooCommerce stores

• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.

• "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. In the context of the Service, NovoVendi is the Processor.

• "Service" means the NovoVendi centralized management platform for WooCommerce stores, as described in the Agreement.

• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission, as set forth in Annex I of this DPA.

• "Sub-processor" means any third-party Processor engaged by NovoVendi to process Personal Data on behalf of the Customer.

2. Scope and Purpose of Processing

2.1 Roles and Responsibilities

The Customer is the Controller of Personal Data processed through the Service. NovoVendi is the Processor acting on behalf of and under the instructions of the Customer.

2.2 Subject Matter and Nature of Processing

NovoVendi processes Personal Data to provide the Service, which includes:

• Connecting to and synchronizing data from Customer's WooCommerce stores
• Displaying product, order, and customer information in a centralized dashboard
• Enabling global configuration management across multiple stores
• Providing analytics and reporting features
• Storing and transmitting data necessary for Service functionality

2.3 Duration of Processing

NovoVendi processes Personal Data for the duration of the Agreement and as necessary to provide the Service, until:

• The Customer terminates their account and requests data deletion; or
• The Agreement is terminated or expires; or
• The Customer instructs NovoVendi to delete specific Personal Data

Following termination, NovoVendi will delete or return Personal Data in accordance with Section 8 of this DPA.

2.4 Types of Personal Data

The types of Personal Data processed may include:

• Contact Information: Names, email addresses, phone numbers, billing addresses, shipping addresses
• Transaction Data: Order history, product purchases, payment information (to the extent accessible via WooCommerce API)
• Account Data: WooCommerce store URLs, API credentials, user preferences
• Technical Data: IP addresses, browser types, device information (if collected by Customer's stores)
• Usage Data: Customer behavior and interactions with Customer's WooCommerce stores

The specific types of Personal Data processed depend on what the Customer collects through their WooCommerce stores.

2.5 Categories of Data Subjects

Data Subjects whose Personal Data is processed include:

• Customers of the Customer's WooCommerce stores (purchasers, shoppers, account holders)
• Website visitors to the Customer's WooCommerce stores (if tracking is enabled)
• Any other individuals whose data is entered into the Customer's WooCommerce stores

3. Customer's Obligations as Controller

3.1 Lawful Basis for Processing

The Customer represents and warrants that:

• It has a lawful basis under Data Protection Laws to process Personal Data and to instruct NovoVendi to process Personal Data on its behalf
• It has provided all necessary privacy notices to Data Subjects
• It has obtained all necessary consents, where required, for the processing of Personal Data
• It complies with all applicable Data Protection Laws in its role as Controller

3.2 Customer Instructions

The Customer instructs NovoVendi to process Personal Data:

• To provide the Service in accordance with the Agreement
• To comply with other documented, reasonable instructions provided by the Customer that are consistent with the Agreement
• As necessary to comply with applicable laws

The Customer will ensure that all processing instructions comply with Data Protection Laws. NovoVendi will inform the Customer if, in NovoVendi's opinion, an instruction violates Data Protection Laws.

3.3 Accuracy and Minimization

The Customer is responsible for ensuring that Personal Data provided to NovoVendi is:

• Accurate and up to date
• Adequate, relevant, and limited to what is necessary for the purposes for which it is processed
• Processed in accordance with the data minimization principle under Data Protection Laws

4. NovoVendi's Obligations as Processor

4.1 Processing Instructions

NovoVendi will:

• Process Personal Data only on documented instructions from the Customer (as set forth in this DPA and the Agreement), unless required to do so by applicable law
• Immediately inform the Customer if, in NovoVendi's opinion, an instruction infringes Data Protection Laws
• Not process Personal Data for NovoVendi's own purposes or disclose Personal Data to third parties, except as permitted by this DPA or required by law

4.2 Confidentiality

NovoVendi will:

• Ensure that all personnel authorized to process Personal Data are subject to confidentiality obligations (whether by contract or statute)
• Ensure that access to Personal Data is limited to personnel who require such access to perform the Service
• Not disclose Personal Data to any third party except as permitted by this DPA or required by law

4.3 Security Measures

NovoVendi implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure, including:

Technical Measures:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
• Secure storage of API keys and credentials using industry-standard encryption
• Access controls and authentication mechanisms (multi-factor authentication where applicable)
• Regular security monitoring and logging
• Firewalls, intrusion detection systems, and network security measures
• Secure software development practices and regular security testing

Organizational Measures:

• Policies and procedures for data handling and security
• Employee training on data protection and security best practices
• Background checks for personnel with access to Personal Data (where permitted by law)
• Incident response and data breach notification procedures
• Regular review and updating of security measures

NovoVendi will review and update these measures as necessary to maintain an appropriate level of security considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

4.4 Assistance with Data Subject Rights

Upon the Customer's request, NovoVendi will provide reasonable assistance to enable the Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

NovoVendi will, to the extent legally permitted and technically feasible:

• Provide the Customer with the ability to access, correct, or delete Personal Data through the Service interface
• Respond to Data Subject requests forwarded by the Customer within a reasonable timeframe
• Not respond directly to Data Subject requests without the Customer's prior written authorization

The Customer is responsible for verifying the identity of Data Subjects making requests and determining the appropriate response under Data Protection Laws.

4.5 Assistance with Compliance

NovoVendi will provide reasonable assistance to the Customer (at the Customer's expense for assistance beyond NovoVendi's standard obligations) with:

• Data protection impact assessments (DPIAs), if required under Data Protection Laws
• Prior consultation with supervisory authorities, if required under Data Protection Laws
• Compliance with the Customer's obligations under Data Protection Laws, taking into account the nature of processing and the information available to NovoVendi

4.6 Data Breach Notification

In the event of a Personal Data breach (as defined under GDPR Article 33), NovoVendi will:

• Notify the Customer without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach
• Provide the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the breach under Data Protection Laws

The notification will include, to the extent available:

• Description of the nature of the breach, including categories and approximate numbers of Data Subjects and data records affected
• Name and contact details of NovoVendi's data protection contact (info@novovendi.com)
• Description of the likely consequences of the breach
• Description of measures taken or proposed to address the breach and mitigate its effects

NovoVendi will cooperate with the Customer and take commercially reasonable steps to remediate the breach and prevent future breaches.

Important: The Customer remains responsible for determining whether the breach must be reported to supervisory authorities or Data Subjects under applicable Data Protection Laws.

5. Sub-processors

5.1 Authorized Sub-processors

The Customer authorizes NovoVendi to engage third-party Sub-processors to process Personal Data, provided that NovoVendi:

• Maintains a current list of Sub-processors
• Imposes data protection obligations on Sub-processors that are substantially similar to those in this DPA
• Remains fully liable to the Customer for the performance of Sub-processors

5.2 Current Sub-processors

The following Sub-processors are currently authorized:

The current list of Sub-processors is also available at https://novovendi.com/subprocessors.

5.3 Changes to Sub-processors

NovoVendi will provide the Customer with at least 30 days' advance notice of:

• Adding a new Sub-processor; or
• Replacing an existing Sub-processor

Notification will be provided via:

• Email to the Customer's registered email address; and/or
• Update to the Sub-processor list at https://novovendi.com/subprocessors

5.4 Objection to Sub-processors

The Customer may object to the appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying NovoVendi in writing within 14 days of receiving notice.

If the Customer objects:

• NovoVendi will use reasonable efforts to accommodate the objection (e.g., by using an alternative Sub-processor or providing an alternative solution)
• If NovoVendi cannot reasonably accommodate the objection, the Customer may terminate the affected portion of the Service by providing written notice to NovoVendi, and NovoVendi will provide a pro-rata refund for any prepaid fees for the terminated portion

If the Customer does not object within the 14-day period, the new Sub-processor will be deemed accepted.

6. International Data Transfers

6.1 Transfers Outside the EEA/UK

Personal Data processed through the Service may be transferred to and processed in countries outside the European Economic Area (EEA), United Kingdom (UK), or Switzerland, including the United States, where NovoVendi's and its Sub-processors' servers and infrastructure are located.

6.2 Transfer Mechanisms

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that do not ensure an adequate level of data protection as determined by the European Commission, NovoVendi relies on the following transfer mechanisms:

Standard Contractual Clauses (SCCs):

• The parties agree to be bound by the Standard Contractual Clauses for the transfer of personal data to third countries approved by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021).
• The SCCs are incorporated into this DPA as Annex I and form an integral part of this DPA.
• In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

Module and Party Designation:

• The parties agree that the Module Two SCCs (Controller-to-Processor) apply.
• Customer is the "data exporter" and NovoVendi is the "data importer."
• The details required by the SCCs are set forth in Annex II (Description of Transfer) and Annex III (Technical and Organizational Security Measures).

6.3 UK and Swiss Transfers

For transfers subject to UK GDPR:

• The SCCs apply as modified by the UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office (ICO).

For transfers subject to Swiss FDPA:

• The SCCs apply with the modifications necessary to comply with Swiss law, including that references to "GDPR" also refer to the Swiss FDPA, and the supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

6.4 Cooperation on Transfer Assessments

NovoVendi will provide reasonable assistance to the Customer in conducting transfer impact assessments (TIAs) required under Data Protection Laws, including providing information about:

• Countries where Personal Data is processed
• Sub-processors and their locations
• Security measures in place
• Government access requests (subject to confidentiality obligations)

7. Data Retention and Deletion

7.1 Retention Period

NovoVendi retains Personal Data for as long as necessary to provide the Service and as instructed by the Customer, and in accordance with the data retention periods specified in our Privacy Policy and applicable laws.

7.2 Deletion or Return of Data

Upon termination or expiration of the Agreement, or upon the Customer's written request, NovoVendi will (at the Customer's choice):

• Delete all Personal Data in NovoVendi's possession or control (including copies held by Sub-processors); or
• Return all Personal Data to the Customer in a commonly used, machine-readable format

Deletion or return will be completed within 30 days of the termination date or request date, unless:

• Retention is required by applicable law (in which case NovoVendi will inform the Customer of such legal requirement); or
• Personal Data is stored in backup systems, which will be deleted in accordance with NovoVendi's backup deletion schedule (no longer than 90 days)

7.3 Certification of Deletion

Upon the Customer's written request, NovoVendi will provide written certification that Personal Data has been deleted in accordance with this Section 7.

8. Audits and Inspections

8.1 Right to Audit

The Customer has the right to audit NovoVendi's compliance with this DPA, subject to the following conditions:

• Audits must be conducted during normal business hours and with reasonable advance notice (at least 30 days)
• Audits must not unreasonably interfere with NovoVendi's business operations
• Audits are limited to once per year, unless:
• Required by a supervisory authority; or
• There is a suspected data breach or non-compliance with this DPA
• The Customer must execute a reasonable confidentiality agreement before conducting an audit
• The Customer is responsible for the costs of the audit

8.2 Alternative Audit Mechanisms

In lieu of a Customer-conducted audit, NovoVendi may provide:

• Third-party audit reports: Industry-standard certifications such as SOC 2 Type II, ISO 27001, or equivalent (when available)
• Questionnaires: Completion of industry-standard security and privacy questionnaires
• Written attestations: Confirmation of compliance with specific security measures or obligations

The Customer agrees to accept such alternative mechanisms as satisfying the audit right, provided they adequately address the Customer's compliance concerns.

9. Supervisory Authority and Data Subject Rights

9.1 Cooperation with Supervisory Authorities

NovoVendi will cooperate with and provide reasonable assistance to the Customer in responding to inquiries, investigations, or orders from data protection supervisory authorities (e.g., EU Data Protection Authorities, UK Information Commissioner's Office).

9.2 Data Subject Complaints

If NovoVendi receives a complaint or request directly from a Data Subject regarding the processing of their Personal Data, NovoVendi will:

• Promptly notify the Customer
• Not respond to the Data Subject without the Customer's prior written authorization (unless legally required to do so)
• Provide reasonable assistance to the Customer in responding to the complaint or request

10. Liability and Indemnification

10.1 Liability Under SCCs

Each party's liability under the Standard Contractual Clauses is as set forth in the SCCs.

10.2 Limitation of Liability

Except as required by the SCCs or applicable Data Protection Laws, NovoVendi's total liability arising out of or related to this DPA (including breaches of data protection obligations) is subject to the limitation of liability provisions in the Agreement.

10.3 Indemnification

NovoVendi will indemnify and hold the Customer harmless from any fines, penalties, or damages imposed by a supervisory authority arising from NovoVendi's breach of its obligations under this DPA or Data Protection Laws, provided that:

• The Customer promptly notifies NovoVendi of the claim
• NovoVendi has the right to control the defense and settlement of the claim
• The Customer provides reasonable cooperation in the defense

This indemnification is subject to the overall limitation of liability in the Agreement.

11. Term and Termination

11.1 Term

This DPA takes effect on the date the Customer first uses the Service (or the date the Agreement takes effect, whichever is earlier) and continues until the termination or expiration of the Agreement.

11.2 Termination

This DPA will automatically terminate upon the termination or expiration of the Agreement.

11.3 Survival

The following provisions will survive termination of this DPA:

• Section 4.3 (Security Measures) – to the extent Personal Data remains in NovoVendi's possession
• Section 4.6 (Data Breach Notification) – for breaches discovered after termination
• Section 7 (Data Retention and Deletion)
• Section 10 (Liability and Indemnification)
• Annex I (Standard Contractual Clauses)

12. Amendments

12.1 Changes to DPA

NovoVendi may amend this DPA from time to time to reflect:

• Changes in Data Protection Laws
• Guidance from supervisory authorities
• Updates to Standard Contractual Clauses
• Changes to NovoVendi's data processing practices

Material changes will be notified to the Customer in accordance with the notification provisions in the Agreement (email and/or in-app notice with at least 30 days' advance notice).

12.2 Changes to Sub-processors and Transfers

Changes to Sub-processors and international data transfers are governed by Sections 5 and 6 of this DPA.

13. General Provisions

13.1 Relationship to Agreement

This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

13.2 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect, and the invalid or unenforceable provision will be replaced with a valid and enforceable provision that most closely reflects the intent of the original provision.

13.3 Governing Law

This DPA is governed by the same governing law as the Agreement (the laws of the State of Florida, United States), except to the extent required otherwise by Data Protection Laws or the SCCs.

13.4 Precedence of SCCs

In the event of any conflict between this DPA and the Standard Contractual Clauses (Annex I), the SCCs shall prevail.

14. Contact Information

For questions about this DPA or data protection matters, please contact:

NovoVendi LLC

Data Protection Contact

Email: info@novovendi.com

Address: Palm Beach County, Florida, United States

For data subject requests or data protection inquiries related to EU/UK/Swiss law, you may also contact our EU representative (if appointed in the future, details will be provided at https://novovendi.com/dpa).

ANNEX I: Standard Contractual Clauses (SCCs)

The parties agree to be bound by the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

The full text of the Standard Contractual Clauses is incorporated by reference and available at:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

MODULE TWO: Controller to Processor

Parties:

• Data Exporter (Controller): Customer
• Data Importer (Processor): NovoVendi LLC

Clause 7 – Docking Clause

Not applicable (Customer may not add additional parties without NovoVendi's consent).

Clause 9 – Use of Sub-processors

Option 2: GENERAL WRITTEN AUTHORISATION

The data importer (NovoVendi) has the data exporter's (Customer's) general authorization for the engagement of sub-processors from the list in Section 5.2 of this DPA. NovoVendi will inform the Customer of any changes to the list in accordance with Section 5.3, giving the Customer the opportunity to object in accordance with Section 5.4.

Clause 11 – Redress

Option 1 applies: Data subjects may lodge a complaint with an independent dispute resolution body.

The independent dispute resolution body is:

• For EU data subjects: The competent supervisory authority in the data exporter's jurisdiction
• For US-based disputes: [To be determined based on NovoVendi's certification programs]

Clause 13 – Supervision

The supervisory authority responsible for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer is:

• The supervisory authority in the EU Member State where the data exporter (Customer) is established; or
• If the data exporter is not established in the EU, the supervisory authority in the EU Member State where the data exporter's EU representative is located

Clause 17 – Governing Law

Option 1: The laws of the EU Member State where the data exporter (Customer) is established.

If the data exporter is not established in the EU, the laws of Ireland apply.

Clause 18 – Choice of Forum and Jurisdiction

Option 1: The courts of the EU Member State where the data exporter (Customer) is established have jurisdiction.

If the data exporter is not established in the EU, the courts of Ireland have jurisdiction.

ANNEX II: Description of Transfer

A. LIST OF PARTIES

Data exporter(s):

• Name: Customer (as defined in the Agreement)
• Address: As specified in the Customer's account
• Contact person's name, position and contact details: Administrative User designated by Customer
• Activities relevant to the data transferred: Operating WooCommerce stores and processing customer orders
• Role: Controller

Data importer(s):

• Name: NovoVendi LLC
• Address: Palm Beach County, Florida, United States
• Contact person's name, position and contact details: Data Protection Contact, info@novovendi.com
• Activities relevant to the data transferred: Providing centralized WooCommerce store management platform
• Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

• Customers of the data exporter's WooCommerce stores
• Website visitors to the data exporter's WooCommerce stores
• Any other individuals whose data is entered into the data exporter's WooCommerce stores

Categories of personal data transferred:

• Contact information (names, email addresses, phone numbers, addresses)
• Transaction data (order history, product purchases, payment information)
• Account data (usernames, passwords hashed by WooCommerce)
• Technical data (IP addresses, browser types, device information)
• Usage data (customer behavior, purchase patterns)

Sensitive data transferred (if applicable):

• None intentionally collected by NovoVendi
• If the data exporter collects sensitive personal data (e.g., health information) through custom WooCommerce fields, the data exporter is responsible for ensuring legal basis for such processing

Frequency of the transfer:

• Continuous, as long as the Service is active

Nature of the processing:

• Collection, storage, organization, structuring, retrieval, consultation, use, transmission, and deletion of personal data necessary to provide the Service

Purpose(s) of the data transfer and further processing:

• To provide the NovoVendi Service as described in the Agreement
• To enable the data exporter to manage multiple WooCommerce stores from a centralized dashboard

Period for which the personal data will be retained:

• For the duration of the Agreement, and as specified in Section 7 of the DPA

For transfers to (sub-) processors:

• See Section 5 of the DPA for the list of authorized sub-processors

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority responsible for ensuring compliance by the data exporter is:

• The supervisory authority in the EU Member State where the data exporter is established; or
• If not established in the EU, the Irish Data Protection Commission

ANNEX III: Technical and Organizational Measures

NovoVendi implements the following technical and organizational security measures to protect Personal Data:

1. Measures of Pseudonymization and Encryption of Personal Data

• Encryption in transit: All data transmitted between Customer and NovoVendi is encrypted using TLS 1.2 or higher
• Encryption at rest: All Personal Data stored in databases is encrypted using AES-256 encryption or equivalent
• Credential encryption: API keys and authentication tokens are stored in encrypted form using industry-standard encryption
• Pseudonymization: Where feasible, Personal Data is pseudonymized to minimize risk in the event of unauthorized access

2. Measures for Ensuring Ongoing Confidentiality, Integrity, Availability and Resilience

• Access controls: Role-based access control (RBAC) limiting employee access to Personal Data to only those who need it
• Authentication: Multi-factor authentication (MFA) required for all employee access to production systems
• Monitoring and logging: Continuous monitoring of system access and activities, with audit logs retained for security and compliance purposes
• Redundancy and backup: Regular backups of Personal Data with geographically distributed redundancy to ensure availability
• Resilience: Use of cloud infrastructure (AWS) with auto-scaling and failover capabilities to ensure Service resilience

3. Measures for Ensuring the Ability to Restore Availability and Access to Personal Data in a Timely Manner

• Backup and recovery: Daily automated backups with tested recovery procedures
• Disaster recovery plan: Documented disaster recovery procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO)
• Incident response plan: Documented incident response procedures for data breaches and system failures

4. Processes for Regularly Testing, Assessing and Evaluating the Effectiveness of Measures

• Security assessments: Regular security assessments and penetration testing (at least annually)
• Vulnerability scanning: Automated vulnerability scanning of infrastructure and applications
• Security audits: Third-party security audits and certifications (SOC 2 Type II, ISO 27001, or equivalent, when available)
• Employee training: Regular security awareness training for all employees with access to Personal Data
• Policy review: Annual review and update of security policies and procedures

5. Measures for User Identification and Authorization

• User authentication: Secure password policies with complexity requirements
• Multi-factor authentication: MFA available for Customer accounts and required for NovoVendi employees
• Session management: Secure session management with automatic logout after inactivity
• Access provisioning: Formal access provisioning and de-provisioning procedures

6. Measures for the Protection of Data During Transmission

• Encryption: TLS 1.2 or higher for all data in transit
• Certificate management: Use of valid SSL/TLS certificates with regular renewal
• API security: Secure API authentication using OAuth 2.0 or API keys with appropriate scoping

7. Measures for the Protection of Data During Storage

• Database encryption: Encryption of databases at rest using AES-256 or equivalent
• Secure storage: Use of encrypted file systems and secure cloud storage (AWS S3 with encryption)
• Data segregation: Logical separation of Customer data to prevent unauthorized cross-customer access

8. Measures for Ensuring Physical Security

• Data center security: Use of tier 3 or higher data centers (AWS) with 24/7 physical security, video surveillance, and access controls
• Office security: Secure office premises with access controls and visitor management
• Device security: Full-disk encryption on employee devices with remote wipe capabilities

9. Measures for Ensuring Events Logging

• Audit logs: Comprehensive logging of system access, data access, and configuration changes
• Log retention: Secure storage of logs for at least 12 months for security analysis and compliance
• Log analysis: Automated log analysis for anomaly detection and security incident investigation

10. Measures for Ensuring System Configuration

• Secure configuration: Hardened system configurations following industry best practices (CIS Benchmarks)
• Patch management: Regular application of security patches and updates
• Change management: Documented change management procedures for system modifications

11. Measures for Internal IT and IT Security Governance

• Security policies: Comprehensive information security policies and procedures
• Incident response: Defined incident response procedures with assigned roles and responsibilities
• Vendor management: Security assessment of Sub-processors and third-party vendors
• Compliance program: Ongoing compliance monitoring and assessment

12. Measures for Certification/Assurance of Processes and Products

• Certifications: Pursuit of industry-standard certifications (SOC 2 Type II, ISO 27001) as NovoVendi's scale and resources permit
• Attestations: Third-party security attestations and audit reports provided to Customers upon request (subject to confidentiality)

13. Measures for Ensuring Data Minimization

• Data minimization: Collection and processing of only the Personal Data necessary to provide the Service
• Retention limits: Automatic deletion of Personal Data in accordance with retention policies (Section 7 of DPA)
• Access limitation: Restriction of employee access to Personal Data based on job function

14. Measures for Ensuring Data Quality

• Data validation: Validation of data inputs to ensure accuracy and completeness
• Customer controls: Providing Customers with tools to update, correct, or delete Personal Data through the Service interface

15. Measures for Ensuring Limited Data Retention

• Retention policies: Defined data retention periods aligned with Service needs and legal requirements
• Automated deletion: Automated deletion of Personal Data upon account termination (30-day timeline)
• Backup purging: Deletion of Personal Data from backup systems in accordance with backup retention schedules (maximum 90 days after account termination)

16. Measures for Ensuring Accountability

• DPA compliance: This DPA and ongoing monitoring of compliance with data protection obligations
• Training and awareness: Regular employee training on data protection and GDPR compliance
• Documentation: Maintenance of records of processing activities as required by GDPR Article 30

17. Measures for Allowing Data Portability and Ensuring Erasure

• Data export: Providing Customers with the ability to export Personal Data in machine-readable formats (JSON, CSV)
• Data deletion: Providing Customers with self-service tools to delete Personal Data through the Service interface
• Erasure upon request: Deletion of all Personal Data within 30 days of account termination or Customer request

This document is a comprehensive Data Processing Agreement and incorporates the Standard Contractual Clauses approved by the European Commission. By using the NovoVendi Service, the Customer agrees to the terms of this DPA.

NovoVendi LLC

Palm Beach County, Florida, United States

Email: info@novovendi.com

Last Updated: April 8, 2026