Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between you ("Customer", "Data Controller") and ShelfMind ("Processor", "we", "us", "our") for the provision of the ShelfMind platform (the "Services").

This DPA applies where and only to the extent that ShelfMind processes Personal Data on behalf of the Customer in the course of providing the Services and such processing is subject to Data Protection Laws of the European Union, the European Economic Area, or their member states, Switzerland, and/or the United Kingdom.

1. Definitions

In this DPA, the following terms have the meanings set out below:

• "Data Protection Laws" means all applicable laws relating to data protection, privacy, and security, including without limitation: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK GDPR and Data Protection Act 2018; (c) the Swiss Federal Data Protection Act; and (d) any successor or replacement legislation.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by ShelfMind under this DPA as part of providing the Services.
• "Processing" has the meaning given in Data Protection Laws and includes any operation performed on Personal Data, such as collection, recording, storage, retrieval, use, disclosure, or deletion.
• "Sub-processor" means any third party appointed by ShelfMind to process Personal Data on behalf of the Customer.
• "Data Subject" means the individual to whom Personal Data relates.

2. Scope of Processing and Roles

2.1 Roles of the Parties

The parties acknowledge and agree that:

• Customer is the Data Controller with respect to Personal Data uploaded to the Services.
• ShelfMind is the Data Processor acting on behalf of the Customer.
• ShelfMind will process Personal Data only as instructed by the Customer through the Services and in accordance with this DPA.

2.2 Customer Instructions

ShelfMind shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The Customer's use of the Services (including uploading, accessing, and managing Personal Data) constitutes the Customer's instruction to ShelfMind to process Personal Data.

2.3 Nature and Purpose of Processing

ShelfMind processes Personal Data for the following purposes:

• To provide the ShelfMind platform services (planogram analytics, reporting, data storage)
• To maintain and support the Services
• To comply with applicable legal obligations

2.4 Categories of Data and Data Subjects

ShelfMind may process the following categories of Personal Data:

• Account Information: Name, email address, company name
• Usage Data: IP addresses, browser type, access logs
• Business Data: Any Personal Data contained in planogram files, product masters, or store data uploaded by the Customer

Data Subjects may include: Customer's employees, contractors, end users, and any individuals whose Personal Data is included in uploaded files.

3. Processor Obligations

3.1 Confidentiality

ShelfMind shall ensure that all personnel authorized to process Personal Data are subject to confidentiality obligations and have received appropriate training on data protection.

3.2 Security Measures

ShelfMind implements appropriate technical and organizational measures to protect Personal Data, including:

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Role-based access, multi-factor authentication, least privilege principle
• Multi-tenant Isolation: Schema-per-tenant database architecture ensuring data segregation
• Monitoring: 24/7 security monitoring, intrusion detection, audit logging
• Backup and Recovery: Automated daily backups with 35-day retention, geo-redundant storage
• Vulnerability Management: Regular security assessments, penetration testing, patch management

3.3 Assistance with Data Subject Rights

ShelfMind shall, to the extent legally permitted, notify Customer if ShelfMind receives a request from a Data Subject to exercise their rights under Data Protection Laws (access, rectification, erasure, data portability, restriction of processing, or objection). ShelfMind shall provide reasonable assistance to Customer in responding to such requests.

3.4 Assistance with Compliance

ShelfMind shall provide reasonable assistance to Customer in ensuring compliance with Data Protection Laws, including with respect to data protection impact assessments and consultations with supervisory authorities.

3.5 Data Breach Notification

ShelfMind shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Customer's data. The notification shall include, to the extent available: (a) description of the breach; (b) categories and approximate number of Data Subjects affected; (c) likely consequences; and (d) measures taken or proposed to address the breach.

4. Sub-processors

4.1 Authorized Sub-processors

Customer consents to ShelfMind engaging the following Sub-processors:

4.2 Changes to Sub-processors

ShelfMind shall inform Customer of any intended changes to Sub-processors (additions or replacements) at least 30 days in advance via email or in-app notification. Customer may object to the appointment of a new Sub-processor on reasonable data protection grounds by notifying ShelfMind in writing within 30 days. If the parties cannot resolve the objection, Customer may terminate the affected Services.

4.3 Sub-processor Obligations

ShelfMind shall impose data protection obligations on Sub-processors that are substantially the same as those set out in this DPA. ShelfMind remains fully liable to Customer for the performance of any Sub-processor's obligations.

5. International Data Transfers

ShelfMind processes Personal Data primarily within the European Economic Area (EEA) and India. To the extent Personal Data is transferred to countries outside the EEA that do not provide an adequate level of data protection as determined by the European Commission, ShelfMind shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission (2021/914)
• Supplementary measures as required by EDPB recommendations
• Microsoft Azure's Data Processing Addendum and data transfer mechanisms

Upon request, ShelfMind shall provide Customer with a copy of the applicable transfer mechanisms.

6. Data Retention and Deletion

6.1 Retention Period

ShelfMind shall retain Personal Data for the duration of the Agreement and for 30 days thereafter, unless a longer retention period is required by law.

6.2 Deletion

Upon termination or expiration of the Agreement, or upon Customer's written request, ShelfMind shall (at Customer's election) delete or return all Personal Data to Customer within 30 days, unless retention is required by applicable law. ShelfMind shall certify in writing that such deletion has been completed.

6.3 Backup Retention

Personal Data stored in backup systems may be retained for up to 35 days beyond the primary deletion date, after which it will be automatically deleted in accordance with ShelfMind's backup retention policy.

7. Audits and Certifications

7.1 SOC 2 Certification

ShelfMind maintains SOC 2 Type II certification. Upon request and subject to confidentiality obligations, ShelfMind shall provide Customer with a summary of the most recent SOC 2 report.

7.2 Customer Audits

ShelfMind shall, upon reasonable prior written notice (at least 30 days), allow Customer (or Customer's appointed third-party auditor) to conduct an audit of ShelfMind's data processing activities, but no more than once per year unless required by a supervisory authority or in response to a Personal Data breach. Customer shall bear all costs of such audits.

8. Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA reduces either party's liability under Data Protection Laws.

9. Term and Termination

This DPA shall remain in effect for the duration of the Agreement or until all Personal Data has been deleted or returned to Customer, whichever is later.

10. Governing Law and Jurisdiction

This DPA shall be governed by the same governing law and jurisdiction provisions as set forth in the Agreement. For European customers, disputes relating to the interpretation or enforcement of this DPA may be brought before the competent courts of the EU member state where the Customer is established.