Skip to content
data processing addendum · procurement-ready

Data Processing Addendum.

The DPA that governs Sumeru's processing of personal data on behalf of customers (data controllers) under GDPR Article 28, UK GDPR, and CCPA/CPRA where applicable. Incorporated by reference into the Terms of Service for every customer that uses Sumeru to process personal data.

Effective · 2026-06-01 · Last updated · 2026-05-11 · Version 1.0 · draft

Draft notice · This DPA reflects current practice and is finalised pending legal counsel review. Enterprise customers receive a counter-signed executed DPA; this page is the standard form available for review pre-signature. Email legal@sumeru.systems for a counter-signable version.

1. Purpose + roles

This DPA addresses the parties' obligations regarding the Processing of Personal Data in connection with the Services. The Customer is the Controller of Personal Data submitted to the Services; Sumeru is the Processor acting on Customer's documented instructions. Where Sumeru engages other vendors to process Personal Data on Sumeru's behalf, those vendors are Subprocessors.

2. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person, as defined by the GDPR or equivalent law.
  • Processing: any operation performed on Personal Data, as defined by the GDPR.
  • Data Subject: the individual whose Personal Data is being Processed.
  • Standard Contractual Clauses (SCCs): the European Commission's standard clauses for international data transfers (2021/914/EU).
  • All other capitalised terms have the meanings in the Terms of Service.

3. Scope of processing

Sumeru processes Personal Data only:

  • To deliver the Services as documented in the Order and these Terms
  • On Customer's documented written instructions (including via the Services configuration)
  • As required by applicable law (with prior notice to Customer unless prohibited)

Categories of Personal Data processed: contact information of Authorised Users; end-customer order data; pixel-event data; ad-platform conversion data; aggregated cohort + retention metrics; audit-log entries; authentication tokens (encrypted).

Categories of Data Subjects: Customer's Authorised Users; Customer's end-customers (buyers); Customer's website visitors where the storefront pixel is enabled.

Duration: for the duration of the Subscription Term, plus retention periods as specified in Section 12.

4. Controller obligations

Customer:

  • Is responsible for the lawful basis for Processing the Personal Data it submits
  • Will provide all required notices to Data Subjects and obtain all necessary consents
  • Will not submit special-category data (health, biometric, etc.) without prior written agreement
  • Will configure the Services in compliance with applicable data-protection laws
  • Will respond to Data Subject requests as Controller; Sumeru will assist as required by Section 9

5. Processor obligations

Sumeru will:

  • Process Personal Data only on Customer's documented instructions
  • Ensure persons authorised to Process Personal Data are bound by appropriate confidentiality obligations
  • Implement and maintain the security measures described in Section 7
  • Assist Customer with Data Subject requests as described in Section 9
  • Assist Customer with data-protection impact assessments (DPIAs) and consultations with supervisory authorities
  • Notify Customer of Personal-Data Incidents as described in Section 8
  • Delete or return Personal Data on termination as described in Section 12
  • Make available to Customer all information necessary to demonstrate compliance with this DPA

6. Subprocessors

Customer authorises Sumeru to engage the Subprocessors listed below to deliver the Services. Sumeru remains responsible for each Subprocessor's compliance with this DPA.

Subprocessor Purpose Region
Cloudflare CDN · edge runtime · Worker for lead-capture USA · EU edge
AWS Primary application hosting · Postgres · BullMQ queues USA · EU multi-region
Stripe Payment processing for subscription billing USA
Resend Transactional email (account · billing · security) USA
Anthropic AI Copilot inference (Claude API · per-shop opt-in) USA
OpenAI AI Copilot inference (per-shop opt-in) USA
Google Cloud Overflow + redundancy USA · EU multi-region
DataForSEO Backlink + SERP intelligence (Competitor Intel. engine) USA
Plausible Analytics Cookie-less aggregate site analytics EU (Germany)

Notice of changes. Sumeru will notify Customer of changes to the Subprocessor list at least 30 days before the new Subprocessor begins Processing Personal Data. Customer may object on reasonable data-protection grounds within 15 days; the parties will work in good faith to find a solution, and if none is found, Customer may terminate the affected Services with a pro-rata refund.

7. Security measures

Sumeru maintains the technical and organisational measures described in detail in the Security & Trust page, including:

  • Encryption: AES-256-GCM at rest with KMS-managed keys; TLS 1.3 in transit with modern cipher suites
  • Access control: 145 fine-grained RBAC permissions, schema-level tenant isolation enforced on every database query, CI lint rule preventing cross-tenant data access
  • Authentication: OAuth refresh tokens encrypted at rest, scope-minimised, rotated hourly
  • Audit: plain-language audit row written for every autonomous action, 365-day default retention, parent-child trace correlation
  • Rate limiting: self-throttling helpers prevent route-level bypass; per-shop AI budget caps with 80% + 100% alerts
  • Backup + DR: daily encrypted snapshots, 30-day retention, multi-AZ Postgres with synchronous replica, RTO 15 minutes, RPO 1 hour
  • SOC 2 Type II audit: in progress (target completion 2026 Q2)

8. Personal-data incidents

Sumeru will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal-Data Incident. The notice will describe:

  • Nature of the incident, including categories and approximate volume of affected Data Subjects and Personal Data records
  • Name and contact details of Sumeru's data-protection contact
  • Likely consequences of the incident
  • Measures taken or proposed to address the incident, including mitigation of adverse effects

Sumeru will cooperate with Customer's investigation and remediation. Customer is responsible for any external notification (regulators, Data Subjects) where required.

9. Data-subject rights

Customer is responsible for responding to Data Subject access, rectification, erasure, restriction, portability, and objection requests. Sumeru will:

  • Promptly forward any Data Subject request received directly by Sumeru to Customer (Sumeru will not respond directly)
  • Provide Customer with the technical means to respond within applicable legal timeframes (e.g. data export, deletion endpoints)
  • Assist Customer with documenting the response where requested

10. International transfers

Where Sumeru transfers Personal Data of EU/EEA/UK Data Subjects outside the EU/EEA/UK to a third country not deemed adequate:

  • The transfer is governed by the EU Standard Contractual Clauses (Module 2: Controller to Processor), incorporated by reference
  • For UK transfers, the UK International Data Transfer Addendum applies
  • Customer may request additional supplementary measures (TIA assessment) for specific transfers
  • Enterprise customers may elect EU-only data residency as a contract addendum

11. Audits + records

Sumeru will make available to Customer:

  • Annual SOC 2 Type II report (under NDA) once the audit is complete
  • Penetration-test summary (under NDA) once available
  • Records of Processing activities relevant to Customer's data

Customer (or its independent auditor) may audit Sumeru's compliance with this DPA at Customer's expense, on 30 days' written notice, no more than once per year unless required by a regulator or following a Personal-Data Incident.

12. Deletion + return

Upon termination of the Subscription Term:

  • Customer has 90 days to export Customer Data (including Personal Data) through self-service tooling or with Sumeru's assistance
  • After 90 days, Sumeru will delete Customer Data within 60 days, except as required by law or for backup-retention purposes
  • Backups containing Customer Data are retained for up to 30 days post-backup-cycle, then permanently deleted
  • Audit-log entries may be retained for the legally required period (typically 365 days) for compliance + dispute defence

13. Liability + indemnity

Liability under this DPA is governed by the limitation-of-liability section of the Terms of Service, except that the cap does not apply to either party's obligations under Section 8 (Personal-Data Incidents) or Section 9 (Data-Subject Rights) where they relate to that party's specific obligations.

Where multiple parties are responsible for a Personal-Data Incident, liability is apportioned according to each party's actual responsibility.

Questions, requests for counter-signature, or audit requests: email legal@sumeru.systems or privacy@sumeru.systems. See also the Privacy Policy and the Terms of Service.