How we process personal data on your behalf.

For personal data we process on your behalf in connection with the VeryQuery service, you are the Controller and we are the Processor, as those terms are defined in Article 4 of the General Data Protection Regulation 2016/679 ("GDPR") and the equivalent definitions in the UK GDPR.

For personal data we collect and process for our own purposes (our marketing site, our billing relationship with you, our administration of the service), we are an independent Controller. Our Privacy Policy describes that processing. This DPA does not cover it.

Where this DPA refers to "Personal Data," it means personal data we process as your Processor: catalog text containing personal data, search-query text containing personal data, anonymous shopper signals correlated to a session identifier, and any other personal data you direct us to process via the VeryQuery service.

This DPA applies to our processing of Personal Data on your instructions in connection with our provision of the VeryQuery service to you. It is incorporated by reference into the Customer Terms of Service and forms part of the agreement between us.

In the event of conflict between this DPA and the Customer Terms of Service on a matter relating to processing of Personal Data, this DPA controls. In all other matters, the Customer Terms of Service control.

This DPA does not apply to data we hold about you as our customer (your account information, billing data, support history). That data is covered by the Privacy Policy.

The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects of the processing are as follows:

Subject matter

Provision of the VeryQuery search-as-a-service platform to you, including ingestion of your catalog, processing of shopper queries, generation of intelligence aggregates, and delivery of search and related features to your shoppers.

Nature

Storage, indexing, embedding, retrieval, transformation (LLM-assisted normalization and enrichment of catalog text), aggregation, deletion.

Purpose

To enable your shoppers to find products in your catalog and to give you analytical visibility into how they search and what they engage with.

Duration

For the term of the Customer Terms of Service, plus the retention periods specified in §13.

Types of Personal Data

Such Personal Data as may be present in catalog text you submit (typically: none, but you control your catalog content); free-text search queries entered by your shoppers (which may contain personal data); anonymous session identifiers; IP addresses associated with shopper requests (transient, not stored except in security and rate-limiting logs).

Categories of Data Subjects

Your shoppers; any individuals identifiable from catalog text you choose to submit.

We process Personal Data only on your documented instructions, including with regard to transfers to a third country or an international organization, unless required to do so by applicable law. Where required by law, we will inform you of that requirement before processing, unless the law prohibits such notification on important grounds of public interest.

Your acceptance of the Customer Terms of Service and your use of the VeryQuery service in accordance with documentation we publish constitute your documented instructions for the processing necessary to provide the service. You may issue additional written instructions by writing to [email protected]; we will confirm receipt and either implement the instruction or notify you within a reasonable period if we cannot.

We will inform you immediately if, in our opinion, an instruction infringes the GDPR, UK GDPR, or other applicable data-protection law.

We limit access to Personal Data to personnel who need it to perform their duties. Personnel authorized to access Personal Data are bound by confidentiality obligations through their engagement with us, whether by employment agreement, contractor agreement, or equivalent.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

The measures currently in place include:

• Encryption in transit. All connections to the VeryQuery service are protected by TLS 1.2 or higher. HTTP-only connections are not accepted on the marketing site, dashboard, public API, or storefront embed.
• Credential storage. Customer account passwords are stored as one-way password hashes (bcrypt or equivalent) and are never stored or transmitted in plaintext.
• Access control. Production systems are accessible only to a small number of named operators. Administrative actions taken in the admin console are recorded in an immutable audit log.
• Network isolation. Our primary database and vector index listen only on private network interfaces; they are not exposed to the public internet.
• Backups. The primary database is backed up daily to provider-managed block storage with a finite retention window. Backups are used for disaster recovery only and are not shared with third parties for any other purpose.
• Patching. We apply security patches to the operating system, runtime, and application dependencies on a schedule prioritized by severity.

We will update this section as our security posture evolves. Significant additions (for example, encryption at rest at the database layer, formal vulnerability scanning, a documented incident-response runbook, or third-party security certifications) will be reflected in a new version of this DPA.

You give us a general authorization to engage Sub-processors in the provision of the service, subject to the conditions in this section.

Our current Sub-processors are listed in the Sub-Processor List. The list states the Sub-processor's identity, the location of processing, and the nature of the processing each performs.

We impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA. We remain responsible to you for the acts and omissions of our Sub-processors.

We will notify you of any addition or replacement of a Sub-processor at least thirty (30) days before the change takes effect. Notification is given by updating the Sub-Processor List and sending an email to the address on file for your Org's billing contact. You may object to the change for documented data-protection reasons within fifteen (15) days of notification. If you object and we are unable to resolve the objection by alternative means, you may terminate the Customer Terms of Service for cause as to those parts of the service that cannot be provided without the Sub-processor.

You acknowledge that we and our Sub-processors process Personal Data in the United States.

Where we transfer Personal Data originating from the EEA, the UK, or Switzerland to a jurisdiction not subject to an adequacy decision, we rely on appropriate safeguards under Article 46 GDPR (and equivalent UK provisions), including:

• The European Commission's Standard Contractual Clauses (2021/914) for processor-to-processor and controller-to-processor transfers, as applicable. The Module Two clauses are deemed incorporated into this DPA where you act as Controller and we act as Processor.
• The UK International Data Transfer Addendum to the EU SCCs, for transfers subject to UK GDPR.
• The Swiss revFADP-compliant amendments to the SCCs for transfers originating from Switzerland.

Where the European Commission, the UK Information Commissioner's Office, or the Swiss Federal Data Protection and Information Commissioner has issued an adequacy decision applicable to a destination jurisdiction, we may rely on the adequacy decision in place of the SCCs.

If a transfer mechanism we rely on is invalidated or modified by a court or regulator, we will work with you in good faith to identify and implement a replacement mechanism within a reasonable period.

Taking into account the nature of the processing, we assist you by appropriate technical and organizational measures, insofar as possible, in fulfilling your obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (and equivalent UK provisions).

In practice:

• If a Data Subject contacts us directly with a request that should be addressed to you as Controller, we will redirect them to you and notify you of the contact.
• If you receive a request and need us to retrieve, correct, or delete Personal Data in our systems on your behalf, you may submit the request to [email protected]; we will respond within a reasonable period, typically within fifteen (15) business days.
• For requests that affect a high volume of records or require novel engineering, we may charge a reasonable fee for our assistance and will agree the fee in writing before proceeding.

We will notify you without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data we process on your behalf.

The notification will include, to the extent then known:

• The nature of the breach, including (where possible) the categories and approximate number of Data Subjects and Personal Data records concerned.
• The likely consequences of the breach.
• The measures we have taken or propose to take to address the breach, including (where appropriate) measures to mitigate its possible adverse effects.
• The contact point for further information.

Where it is not possible to provide all information at once, we will provide it in phases as soon as the information becomes available.

We will cooperate with you and provide reasonable assistance to enable you to comply with your own notification obligations to supervisory authorities and Data Subjects under Articles 33 and 34 GDPR (and equivalent UK provisions).

Taking into account the nature of processing and the information available to us, we provide reasonable assistance to you in carrying out:

• Data Protection Impact Assessments under Article 35 GDPR (and equivalent UK provisions).
• Prior consultations with supervisory authorities under Article 36 GDPR (and equivalent UK provisions).

Our assistance is typically provided by responding to written questions about our processing operations and security measures. Where the requested assistance materially exceeds responses based on information we already maintain, we may charge a reasonable fee, agreed in writing before the work is performed.

We make available to you all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

We may satisfy our audit obligations by providing on request:

• Written responses to a security and privacy questionnaire of reasonable scope.
• Copies of relevant third-party certifications or audit reports held by us or our Sub-processors (for example, SOC 2 reports for infrastructure Sub-processors).
• Documentation of our technical and organizational measures.

If the foregoing is insufficient to satisfy a regulatory requirement applicable to you, you may request an on-site audit of our facilities. We will respond to such a request within a reasonable period and agree the scope, timing, and conduct of the audit so as to minimize disruption to our operations. You will bear the reasonable costs of an on-site audit unless the audit reveals a material breach of this DPA by us.

We retain Personal Data only for as long as necessary to provide the service and to comply with our legal obligations.

On termination or expiration of the Customer Terms of Service, we will, at your written election:

• Return. Make Personal Data available to you for export in a structured, commonly-used machine-readable format, for a period of thirty (30) days following termination.
• Delete. Delete Personal Data from our active systems within thirty (30) days following termination, except as required to be retained by applicable law or as described in retention exceptions below.

Retention exceptions:

• Backups. Personal Data may persist in our routine backup snapshots beyond the deletion period, until the snapshot ages out of its retention window (typically thirty days). Backups are not used for any purpose other than disaster recovery during this period.
• Anonymized aggregates. Aggregated and anonymized data that cannot be re-associated with a Data Subject may be retained indefinitely for service improvement, billing, and analytics purposes. We do not consider such aggregates to be Personal Data.
• Audit logs. Records of administrative actions, security events, and legal-acceptance audit rows are retained indefinitely as part of our compliance posture.

Each party's liability under this DPA is subject to the limitations and exclusions in the Customer Terms of Service. Nothing in this DPA excludes or limits a party's liability where such exclusion or limitation is prohibited by applicable data-protection law.

Where you and we are joint defendants in a claim brought by a Data Subject, each party is liable for the share of any damages corresponding to its responsibility for the harm caused, in accordance with Article 82 GDPR (and equivalent UK provisions).

Order of precedence

If any provision of this DPA conflicts with the SCCs (incorporated by reference under §08), the SCCs prevail. If any provision of this DPA conflicts with the Customer Terms of Service on a matter relating to processing of Personal Data, this DPA prevails. Otherwise, the Customer Terms of Service prevail.

Governing law

This DPA is governed by the law identified in the Customer Terms of Service, except that the SCCs are governed by the law applicable to them under their own terms.

Counter-signature

This DPA is in force without counter-signature for any customer who accepts it electronically in the dashboard. We will provide a counter-signed PDF on request for customers whose procurement requirements call for one; email [email protected] with your Org name to request one.

Updates

We will revise this DPA from time to time. Material changes are subject to the change-of-terms procedure in the Customer Terms of Service; non-material changes (clarifications, fixes) may be made without notice.