Data Processing Agreement (DPA)

1. Scope & Applicability

This DPA applies where Processor Processes Personal Data on behalf of Controller in connection with the Brandmerch platform and services.

This DPA is incorporated by reference into the Terms of Service and is binding upon acceptance of the Terms.

2. Definitions

• “Personal Data”: Information relating to an identified or identifiable individual
• “Processing”: Any operation performed on Personal Data
• “Controller” / “Processor”: As defined under applicable data protection laws (e.g., GDPR)
• “Subprocessor”: Any third party engaged by Processor

3. Processing Details

3.1 Subject Matter

Provision of merchandise sourcing, customization, storage, fulfillment, and logistics services.

3.2 Duration

For the duration of the Agreement + reasonable retention period.

3.3 Nature of Processing

• Collection
• Storage
• Organization
• Transmission
• Fulfillment and delivery

3.4 Categories of Data

• Names
• Email addresses
• Phone numbers
• Shipping and billing addresses
• Employer / company information
• Order and transaction data
• Gift recipient data
• Uploaded content (logos, artwork)

3.5 Categories of Data Subjects

• Customer employees
• End recipients of merchandise
• Customer users

4. Processor Obligations

Processor shall:

• Process Personal Data only on documented instructions from Controller
• Not sell or use Personal Data for independent purposes
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational measures

5. Security Measures

Processor maintains appropriate safeguards, including:

• Encryption in transit (TLS/HTTPS)
• Secure infrastructure and hosting
• Role-based access controls
• Authentication protections
• Monitoring and logging
• Vendor due diligence

Processor shall regularly review and update these measures.

6. Subprocessors

Controller authorizes Processor to engage Subprocessors, including:

• Payment processors (e.g., Stripe)
• Hosting providers (e.g., Vercel, AWS)
• Shipping carriers (UPS, FedEx, USPS, DHL)
• Tax providers (TaxJar)
• Media providers (Cloudinary)
• Manufacturing, decoration, and fulfillment vendors

Processor shall:

• Ensure Subprocessors are bound by data protection obligations
• Remain responsible for their compliance
• Maintain a current list of Subprocessors (available upon request or published)

7. International Transfers

Where Personal Data is transferred outside the applicable jurisdiction:

• Processor shall implement appropriate safeguards
• Standard Contractual Clauses (SCCs) shall apply where required

8. Data Subject Rights

Processor shall assist Controller in responding to:

• Access requests
• Deletion requests
• Correction requests
• Portability requests

To the extent legally required and technically feasible.

9. Data Breach Notification

Processor shall notify Controller without undue delay (and within 72 hours where feasible) after becoming aware of a Personal Data breach.

Notification shall include:

• Nature of breach
• Categories of affected data
• Likely impact
• Remediation steps

10. Data Retention & Deletion

Processor shall:

• Retain Personal Data only as necessary
• Delete or return Personal Data upon termination of services, upon written request

Processor may retain data where legally required.

11. Audit Rights

Processor shall make available information reasonably necessary to demonstrate compliance.

Audits:

• Must be reasonable, limited in scope, and not disruptive
• May be satisfied via security documentation or certifications where available

12. Marketplace, Vendors & Logistics

Controller acknowledges that Brandmerch operates a distributed supply chain.

Processor may share Personal Data with:

• Suppliers
• Decorators
• Fulfillment partners
• Shipping carriers

Strictly to the extent necessary to produce, customize, and deliver merchandise.

Processor is not responsible for:

• Independent misuse by third parties outside its control
• Carrier-related failures

13. Customer Responsibilities

Controller represents that:

• It has lawful basis for processing
• It has obtained required consents
• Its instructions comply with applicable laws

14. Liability

To the maximum extent permitted by law:

• Processor’s total liability is limited to fees paid in the preceding 12 months

Processor is not liable for:

• Controller’s misuse of data
• Inaccurate data provided by Controller
• Failures of third-party carriers or vendors

15. Term

This DPA remains in effect for the duration of the Agreement and until all Personal Data is deleted or returned.

16. Governing Law

North Carolina, unless otherwise required by applicable law.