Data processing addendum

1. Scope and order of precedence

This Data Processing Addendum applies when BayStore processes personal data on behalf of a customer under an approved agreement. If there is a conflict between this DPA and the agreement, this DPA controls for data-processing obligations, unless the parties expressly agree otherwise in writing.

2. Roles

For customer-controlled personal data, the customer is generally the controller or business, and BayStore is generally the processor or service provider. For BayStore account, billing, sales, security, and service-administration data, BayStore may act as an independent controller as described in the Privacy Policy.

3. Customer instructions

BayStore will process customer personal data only on documented customer instructions, including instructions in the agreement, order form, product configuration, customer dashboard, support request, and this DPA. BayStore will notify the customer if it believes an instruction violates applicable data protection law, unless prohibited by law.

4. Subject matter, duration, nature, and purpose

The subject matter is BayStore's provision of product-instance services. The duration is the term of the applicable agreement plus any post-termination retention period. The nature and purpose include provisioning, operating, monitoring, securing, recovering, supporting, billing, and retiring named product instances.

5. Categories of data and data subjects

Personal data may include identifiers, business contact details, account records, service metadata, support communications, audit records, access metadata, and customer content processed through product instances. Data subjects may include customer personnel, administrators, authorized users, support contacts, and individuals whose data is submitted to customer product instances.

6. Confidentiality

BayStore will ensure that personnel authorized to process customer personal data are subject to confidentiality obligations or professional duties of confidentiality and receive access only as needed for service delivery, security, support, and compliance.

7. Security measures

BayStore will maintain appropriate technical and organizational measures designed to protect customer personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage. Measures may include access control, authentication, least-privilege permissions, logging, tenant-isolation boundaries, lifecycle audit trails, secure development practices, backup and recovery procedures, and incident-response processes.

8. Subprocessors

Customer authorizes BayStore to use subprocessors for hosting, infrastructure, database, security, observability, email, payment, support, and authentication functions. BayStore will impose written data-protection obligations on subprocessors that are materially protective of customer personal data. The final production DPA should attach or link to the approved subprocessor list and describe notice and objection procedures.

9. Assistance with rights requests

Taking into account the nature of processing, BayStore will provide reasonable assistance to help customer respond to data-subject requests where customer cannot fulfill the request independently through the service. Requests should be submitted through the agreed support or privacy channel.

10. Assistance with compliance

BayStore will provide reasonable information and assistance for security, breach notification, data-protection impact assessment, and regulatory consultation obligations where required by applicable law and where the information is not otherwise available to customer.

11. Personal data breach

BayStore will notify customer without undue delay after becoming aware of a personal data breach affecting customer personal data. The notice should describe available information about the incident, affected data, likely consequences, mitigation steps, and contact channel. Customer remains responsible for determining whether notices to individuals or regulators are required, unless the agreement states otherwise.

12. Return and deletion

After termination or expiry of the services, BayStore will return or delete customer personal data according to the agreement and documented customer instructions, unless retention is required by law, audit, security, backup, or dispute-resolution obligations. Backup copies may remain until overwritten under normal retention cycles.

13. Audits and information

BayStore will make available information reasonably necessary to demonstrate compliance with this DPA. The final agreement should define audit frequency, confidentiality, scope, notice, cost allocation, and restrictions designed to protect BayStore systems and other customers.

14. International transfers

Where BayStore transfers personal data internationally and a transfer mechanism is required, the parties should use an approved transfer mechanism such as standard contractual clauses, an approved data-transfer addendum, or another lawful mechanism. The final production DPA should identify the selected mechanism and any supplementary measures.

15. Service-provider restrictions

Where California-style privacy laws apply and BayStore acts as a service provider or processor, BayStore will not sell or share customer personal data, retain or use it outside the business purposes described in the agreement, or combine it with personal data from other sources except as permitted by applicable law.

16. Appendix A - processing details

Subject matter: Product-instance commercial lifecycle and managed operations. Purpose: provide, secure, monitor, support, bill, and recover services. Duration: agreement term plus approved retention. Data subjects: customer personnel, authorized users, support contacts, and individuals in customer content. Data categories: identifiers, contact details, account data, service metadata, support records, audit events, and customer content.

17. Appendix B - security measures to finalize

The approved DPA should attach a security exhibit covering identity and access management, encryption, network controls, logging, vulnerability management, change management, incident response, business continuity, data deletion, personnel controls, and subprocessor management.

18. Requests

DPA requests should be sent to [email protected]. Security questions should be sent to [email protected].