Data Processing Agreement

This DPA governs how Bidventor processes personal data on behalf of the Customer when providing the services described in the applicable agreement between the parties.

For purposes of this DPA:

• •Controller means the Customer.
• •Processor means Bidventor.
• •Personal Data means any information relating to an identified or identifiable person, as defined under applicable data protection law.
• •Processing means any operation or set of operations performed on personal data, such as collection, storage, use, disclosure, or deletion.

Bidventor processes data to:

• •Provide analytics and optimization features of the platform
• •Generate insights, reports, and recommendations requested by the Customer
• •Support the Customer's business operations in connection with the services

Processing may include the following categories, depending on what the Customer provides or authorizes:

• •Account and contact details (for example, name, email, company)
• •Business and commercial data related to the Customer's use of the services
• •Amazon-related advertising, listing, and performance data obtained through authorized connections
• •Limited personal data of the Customer's end customers only if provided by the Customer or accessed through authorized APIs as needed to deliver the services

Where Amazon data is processed, Bidventor agrees that such data will be:

• •Used only to provide the services for the specific Customer account to which the data relates
• •Not combined or used across other Customer accounts in a manner that is inconsistent with this obligation
• •Not sold, resold, or shared for unauthorized third-party use
• •Handled in line with the Amazon Data Protection Policy and other applicable Amazon requirements, as updated from time to time

Bidventor will:

• •Process personal data only on documented instructions from the Customer, including as set out in this DPA and the main agreement, unless required to do otherwise by applicable law (in which case Bidventor will, where permitted, inform the Customer of that legal requirement before processing)
• •Maintain the confidentiality of personal data and ensure that persons authorized to process such data are subject to appropriate confidentiality duties
• •Implement appropriate technical and organizational measures to protect personal data, as described in this DPA
• •Ensure that relevant personnel are informed of and trained on data protection responsibilities to the extent appropriate to their role

Security measures may include, as appropriate to the risk:

• •Encryption of personal data in transit and at rest, where appropriate
• •Access controls, authentication, and least-privilege access to systems and data
• •Logging, monitoring, and review processes designed to help detect and respond to incidents
• •Hosting and operations on secure infrastructure provided by vetted service providers

The Customer authorizes Bidventor to engage subprocessors to support the services, which may include providers of hosting, payment processing, email and communications, and other operational functions.

Where Bidventor uses subprocessors, Bidventor will ensure that they are bound by written terms that require appropriate data protection and security obligations. Subprocessors may process personal data only to deliver services to Bidventor for the benefit of the Customer and may not use the data for their own independent purposes.

Bidventor retains personal data only for as long as necessary to provide the services, meet legal and contractual obligations, and resolve disputes, as further described in the Privacy Policy.

Following termination of the services, Bidventor will delete or return personal data in line with the main agreement and this DPA, within a defined timeframe as agreed or as described in the Privacy Policy, unless applicable law requires longer retention.

Where Amazon personal data is in scope, Bidventor will delete such data within 30 days when required by applicable Amazon policies or the parties' agreement, unless a different period is required by law.

Bidventor will assist the Customer, taking into account the nature of the processing, in responding to requests from data subjects to exercise their rights under applicable law, including requests for access, rectification, and deletion, where such requests relate to data processed by Bidventor on behalf of the Customer. The Customer remains responsible for evaluating and responding to such requests as Controller.

If Bidventor becomes aware of a personal data breach affecting data processed on behalf of the Customer, Bidventor will notify the Customer without undue delay and will provide information reasonably available to help the Customer meet its own notification obligations.

Where the breach involves Amazon data, Bidventor will notify Amazon within 24 hours to the extent required by applicable Amazon policies or the parties' agreement, and will cooperate with the Customer in mitigation.

Personal data may be transferred to and processed in countries other than the country in which the Customer or data subjects are located. Where required by applicable law, Bidventor will implement appropriate safeguards for such transfers, which may include standard contractual clauses or other approved mechanisms, together with the security measures described in this DPA.

The Customer may request reasonable information from Bidventor to confirm compliance with this DPA, such as summaries of security practices, certifications where available, and responses to written questionnaires, subject to reasonable confidentiality and security arrangements.

This DPA remains in effect for as long as Bidventor processes personal data on behalf of the Customer in connection with the services. It ends when processing has ceased and any required deletion or return of data has been completed, except that provisions that by their nature should survive will continue to apply.

Liability in connection with this DPA and the services is governed by the Terms of Service unless the parties have agreed otherwise in a separate written agreement.

This DPA is governed by the laws of the State of Montana, United States, without regard to conflict of law principles, consistent with the Terms of Service, unless otherwise required by applicable data protection law.

If you have questions about this DPA, please contact: