Data Processing Addendum

1. Definitions

References GDPR and UK GDPR terminology for personal data, data subjects, processing, controllers, processors, and sub-processors.

2. Processing Purpose

CommerceBase processes data for the sole purpose of providing the Service, including advertising campaigns, performance measurement, and conversion event forwarding.

3. Data Categories

Covers end-user pixel events (pseudonymous identifiers, timestamps, URLs, event types) and authorized user account data (names, emails, credentials).

4. Duration

Processing continues during the service relationship; pixel records retained 24 months, click identifiers pruned after 90 days, account data retained up to 7 years post-termination.

5. Obligations

CommerceBase commits to processing data per customer instructions, maintaining confidentiality, implementing security measures, assisting with data subject rights, and notifying customers of breaches within 72 hours.

6. Sub-processors

Customers authorize engagement of the listed sub-processors below; 30-day advance notice is required for changes.

• AWS
• MongoDB Atlas
• Cloudflare
• Stripe
• Google LLC
• PPCMate / DailyClicks
• Anthropic PBC

7. International Transfers

Uses Standard Contractual Clauses and the UK International Data Transfer Addendum for non-EEA/UK transfers.

8. Audit Rights

Customers may request annual audits during business hours; existing third-party reports (SOC 2) may satisfy requirements.

9. Data Return / Deletion

Within 30 days of termination, customers can request return or deletion; CommerceBase deletes within 90 additional days unless retention is legally required.

10. Liability

Subject to limitations in the main Terms of Service.

Security Measures

• Access controls and least-privilege production access
• TLS 1.2+ encryption in transit; AES-256 at rest
• VPC network segmentation
• Encrypted 30-day backups
• Secrets management and centralized logging
• Vulnerability scanning and personnel background checks