Data processing addendum

1. Scope and order of precedence

This Data Processing Addendum applies when BayStore processes personal data on behalf of a customer under an approved agreement. It forms part of that agreement. If there is a conflict between this DPA and the agreement, this DPA controls for data-processing obligations, unless the parties expressly agree otherwise in writing or a signed data-processing exhibit states a more specific rule.

2. Roles

For customer-controlled personal data, the customer is the controller or business, and BayStore is the processor or service provider. For BayStore account, billing, sales, security, and service-administration data, BayStore acts as an independent controller as described in the Privacy Policy. The BayStore contracting entity is BayStore, 1455 3rd Street, San Francisco, CA 94158, USA.

3. Definitions

Terms such as "personal data," "processing," "controller," "processor," "subprocessor," "personal data breach," "business," "service provider," and "consumer" have the meanings given under applicable data protection law. "Customer Personal Data" means personal data processed by BayStore on behalf of customer under the agreement.

4. Customer instructions

BayStore will process Customer Personal Data only on documented customer instructions, including instructions in the agreement, order form, product configuration, customer dashboard, support request, and this DPA. BayStore will notify the customer if it believes an instruction violates applicable data protection law, unless prohibited by law. The customer is responsible for ensuring its instructions are lawful.

5. Customer obligations

Customer is responsible for determining whether the Services are appropriate for Customer Personal Data, providing all required notices, obtaining all required consents, maintaining a lawful basis for processing, configuring Authorized User access, responding to data-subject requests where customer controls the data, and ensuring that Customer Personal Data submitted to BayStore complies with applicable law and the agreement.

6. Subject matter, duration, nature, and purpose

The subject matter is BayStore's provision of product-instance services. The duration is the term of the applicable agreement plus any post-termination retention period. The nature and purpose include provisioning, operating, monitoring, securing, recovering, supporting, billing, and retiring named product instances.

7. Categories of data and data subjects

Personal data may include identifiers, business contact details, account records, authentication identifiers, billing metadata, service metadata, support communications, audit records, access metadata, product-instance configuration, backup metadata, and customer content processed through product instances. Data subjects may include customer personnel, administrators, authorized users, support contacts, procurement contacts, and individuals whose data is submitted to customer product instances.

8. Confidentiality and personnel access

BayStore will ensure that personnel authorized to process customer personal data are subject to confidentiality obligations or professional duties of confidentiality and receive access only as needed for service delivery, security, support, and compliance.

9. Security measures

BayStore will maintain appropriate technical and organizational measures designed to protect customer personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage. Measures may include identity and access management, authentication, least-privilege permissions, encryption in transit and at rest where appropriate, logging, tenant-isolation boundaries, lifecycle audit trails, secure development practices, vulnerability management, backup and recovery procedures, change control, and incident-response processes.

10. Subprocessors

Customer gives BayStore a general authorization to use subprocessors for hosting, infrastructure, database, security, observability, email, payment processing, including Stripe, PayPal, or another approved payment provider where used, support, analytics, authentication, fraud prevention, and operations functions. BayStore will impose written data-protection obligations on subprocessors that are materially protective of Customer Personal Data and no less protective than this DPA in substance.

The current subprocessor list is in Appendix C. BayStore gives at least thirty (30) days' advance notice before adding or replacing a subprocessor, by updating Appendix C and notifying customers who subscribe to subprocessor notices at [email protected]. Customer may object on reasonable data-protection grounds within that notice period; if the parties cannot resolve the objection, Customer may terminate the affected Services.

11. Assistance with rights requests

Taking into account the nature of processing, BayStore will provide reasonable assistance to help customer respond to data-subject requests where customer cannot fulfill the request independently through the service. Requests should be submitted through the agreed support or privacy channel.

12. Assistance with compliance

BayStore will provide reasonable information and assistance for security, breach notification, data-protection impact assessment, and regulatory consultation obligations where required by applicable law and where the information is not otherwise available to customer.

13. Personal data breach

BayStore will notify customer without undue delay after becoming aware of a personal data breach affecting customer personal data. The notice should describe available information about the incident, affected data, likely consequences, mitigation steps, and contact channel. Customer remains responsible for determining whether notices to individuals or regulators are required, unless the agreement states otherwise.

14. Return and deletion

After termination or expiry of the services, BayStore will return or delete customer personal data according to the agreement and documented customer instructions, unless retention is required by law, audit, security, backup, or dispute-resolution obligations. Backup copies may remain until overwritten under normal retention cycles.

15. Audits and information

BayStore will make available information reasonably necessary to demonstrate compliance with this DPA. Audits may be requested no more than once per year (and after a personal data breach affecting Customer Personal Data), on reasonable prior notice, under confidentiality, and without compromising the security of other customers. BayStore satisfies audit rights primarily through current security documentation, certifications, and questionnaire responses before any on-site or live-system review; on-site review, where justified, is at Customer's expense and scheduled to avoid disrupting the Services.

16. International transfers

Where BayStore transfers Customer Personal Data out of the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties rely on a lawful transfer mechanism: the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and, where applicable, the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework, together with supplementary measures where needed. The Standard Contractual Clauses are incorporated by reference where they apply, with BayStore as data importer and Customer as data exporter, and prevail over conflicting terms to the extent required by law.

17. U.S. state privacy and service-provider restrictions

Where California-style or other U.S. state privacy laws apply and BayStore acts as a service provider, contractor, or processor, BayStore will not sell or share Customer Personal Data, retain or use it outside the business purposes described in the agreement, or combine it with personal data from other sources except as permitted by applicable law. BayStore will process Customer Personal Data only to provide and secure the services, comply with documented instructions, and perform permitted operational purposes.

18. Sensitive data and restricted data

Customer must not submit sensitive personal data, regulated health data, payment card data, government identifiers, children's data, or other restricted data unless the agreement, security exhibit, and product configuration expressly allow it. If such processing is approved in writing, BayStore and the customer will add the data-specific safeguards and any jurisdiction-specific terms required before that processing begins.

19. Deidentified and aggregated data

BayStore may process deidentified or aggregated operational data to maintain, secure, measure, and improve the services, provided it does not identify customer, authorized users, or data subjects and is not used to circumvent this DPA.

20. Appendix A - processing details

Subject matter: product-instance commercial lifecycle and managed operations. Purpose: provide, secure, monitor, support, bill, troubleshoot, recover, suspend, upgrade, and retire services. Duration: agreement term plus approved retention. Data subjects: customer personnel, administrators, authorized users, support contacts, procurement contacts, and individuals represented in customer content. Data categories: identifiers, contact details, account data, authentication identifiers, billing metadata, service metadata, support records, audit events, access metadata, backup metadata, lifecycle records, product-instance configuration, and customer content.

21. Appendix B - technical and organizational measures

BayStore maintains the following technical and organizational measures, which it may update over time provided protection is not materially reduced: identity and access management; least-privilege access; authentication; encryption in transit and at rest where applicable; network controls; tenant isolation; logging and audit trails; vulnerability management; change management; secure development; incident response; backup and restore; business continuity; data deletion; personnel screening and training; subprocessor management; payment-provider boundaries; and reliance on the physical and cloud-provider controls of BayStore's hosting subprocessors.

22. Appendix C - subprocessor list

BayStore uses the subprocessors below and keeps this list current under Section 10. The notice and objection contact is [email protected].

Subprocessor	Purpose	Location
Cloudflare, Inc.	Website hosting, content delivery, and web form intake	United States / global edge
Plausible Analytics	Privacy-friendly, cookieless website analytics (loaded only after consent)	European Union
Stripe, Inc.	Payment processing, where card payments are used	United States
PayPal, Inc.	Payment processing, where PayPal is used	United States

23. Requests

DPA requests should be sent to [email protected]. Security questions should be sent to [email protected].