SellerArmor

Legal · Data Processing Addendum

Data Processing Addendum

v1.0 · Last updated June 1, 2026 · Effective June 1, 2026

This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, the Terms of Service(the “Terms”) between you (“you,” “Customer,” or “Controller”) and CircuitVista Inc., a corporation incorporated in Ontario, Canada, operating the SellerArmor service (“SellerArmor,” “we,” “us,” “our,” or “Processor”). It governs our processing of personal information that we process on your behalf in providing the Service. Capitalized terms not defined here have the meaning given in the Terms.

If there is a conflict between this DPA and the Terms with respect to the processing of Customer Personal Data, this DPA controls.

1. Definitions

  • “Applicable Data Protection Law” means all privacy and data protection laws that apply to a party’s processing of Customer Personal Data, including, as applicable: U.S. state privacy laws (such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), and the privacy laws of Virginia, Colorado, Connecticut, Texas, and other states); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial laws including Quebec’s Act respecting the protection of personal information in the private sector (“Law 25”); and, where applicable, the EU and UK General Data Protection Regulation (“GDPR”).
  • “Customer Personal Data”means personal information within Customer Data that we process on Customer’s behalf as a service provider/processor in providing the Service.
  • “Personal Information,” “Personal Data,” “controller,” “business,” “processor,” “service provider,” “process,” “sell,” “share,” and “data subject” have the meanings given under Applicable Data Protection Law.
  • “Subprocessor” means a third party engaged by us to process Customer Personal Data on our behalf.
  • “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

2. Roles and scope

For Customer Personal Data, Customer is the controller/business and SellerArmor is the processor/service provider acting on Customer’s behalf. For personal information about Customer’s own account holders, users, and billing contacts that we determine the purposes and means of processing, SellerArmor is an independent controller, and that processing is governed by our Privacy Policy rather than this DPA.

The subject matter, duration, nature and purpose of the processing, the types of Customer Personal Data, and the categories of data subjects are described in Annex 1.

3. Processing instructions

We will process Customer Personal Data only:

  • on Customer’s documented instructions, including as set out in the Terms, this DPA, and Customer’s use and configuration of the Service; and
  • as required by law, in which case we will, where legally permitted, inform Customer of that requirement before processing.

The Terms and this DPA, together with Customer’s use of the Service, constitute Customer’s complete and final instructions. We will inform Customer if, in our opinion, an instruction infringes Applicable Data Protection Law. Customer is responsible for ensuring it has a lawful basis and any required notices or consents for the Customer Personal Data it directs us to process, including its authority to connect each Amazon seller account.

4. Confidentiality

We will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process Customer Personal Data only on a need-to-know basis.

5. Security

We will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against a Security Incident, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Our current measures are described in Annex 3. We may update these measures from time to time provided that the overall level of protection is not materially reduced.

6. Subprocessors

Customer provides general authorization for us to engage Subprocessors to process Customer Personal Data, subject to this Section. We will:

  • impose on each Subprocessor data-protection obligations that are substantially the same as those in this DPA, to the extent applicable to the services they provide;
  • remain responsible for each Subprocessor’s performance of its obligations; and
  • maintain a current list of Subprocessors by category (see Annex 2) and provide the specific list to connected Customers on request.

We will give Customer a reasonable means to be notified of any intended addition or replacement of a Subprocessor. If Customer reasonably objects to a new Subprocessor on data-protection grounds, the parties will work in good faith to find a resolution; if none is reached, Customer may terminate the affected portion of the Service.

7. Data subject requests

Taking into account the nature of the processing, we will provide reasonable assistance to enable Customer to respond to requests from data subjects to exercise their rights under Applicable Data Protection Law. If we receive such a request directly relating to Customer Personal Data, we will, unless legally prohibited, refer the data subject to Customer and reasonably assist Customer in responding.

8. Security incidents

We will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data, and will provide information reasonably available to us to help Customer meet its own notification obligations. We will take reasonable steps to mitigate and, where possible, remediate the Security Incident. Where SP-API data is involved, we will also notify Amazon within the timeframe required under Amazon’s Data Protection Policy and applicable developer agreements. Our notification is not an acknowledgment of fault or liability.

9. Assessments and cooperation

Taking into account the nature of processing and the information available to us, we will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with regulators, and with cross-border transfer assessments where required (including under Quebec’s Law 25), in each case to the extent they relate to our processing of Customer Personal Data.

10. International transfers

Customer Personal Data is hosted in the United States. Because we are incorporated in Canada and may use service providers in the United States and elsewhere, Customer Personal Data may be transferred across borders. We will ensure such transfers are subject to appropriate safeguards as required by Applicable Data Protection Law. To the extent we process personal data subject to the GDPR, the parties agree that the applicable Standard Contractual Clauses (and, for UK data, the UK International Data Transfer Addendum) are incorporated into this DPA by reference and completed with the details in the Annexes, with this DPA prevailing in case of conflict for non-transfer matters.

11. U.S. state privacy laws — service provider commitments

With respect to Customer Personal Data subject to U.S. state privacy laws, we act as a service provider (or processor/ contractor, as applicable) and certify that we will:

  • process Customer Personal Data only for the limited and specified business purpose of providing the Service under the Terms, and not for any other purpose;
  • not sell Customer Personal Data and not share it for cross-context behavioral advertising;
  • not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than providing the Service, except as permitted by law;
  • not combine Customer Personal Data with personal information received from, or on behalf of, others, or collected from our own interactions, except as permitted by Applicable Data Protection Law;
  • comply with the applicable obligations of U.S. state privacy law and provide the same level of privacy protection as required of businesses; and
  • notify Customer if we determine we can no longer meet these obligations.

Customer may take reasonable and appropriate steps to help ensure that we use Customer Personal Data in a manner consistent with Customer’s obligations, and to stop and remediate unauthorized use.

12. Canadian law

We will handle Customer Personal Data in a manner consistent with PIPEDA and, where applicable, Quebec’s Law 25, including by providing a comparable level of protection where Customer Personal Data is transferred to a Subprocessor for processing, assisting Customer with access and correction requests, and supporting Customer’s transfer assessments and breach-reporting obligations to the extent the processing relates to Customer Personal Data we hold.

13. Return and deletion

On termination or expiry of the Service, and on Customer’s request, we will delete or return Customer Personal Data in accordance with the disconnection and retention provisions of the Privacy Policy (including deletion of OAuth refresh tokens within 24 hours of revocation and purge of ingested account data within 30 days of disconnection), except (a) records we are required or permitted to retain by law and (b) records retained under the audit-trail, tax, accounting, or legal-defense retention periods described in the Privacy Policy, which remain subject to the protections of this DPA for as long as they are retained.

14. Audit and information

We will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Where Applicable Data Protection Law grants Customer an audit right, that right is satisfied, where reasonable, by our provision of relevant documentation, summaries of controls, or third-party attestations (such as a SOC 2 report, when available). Any on-site audit will be at Customer’s expense, on reasonable prior notice, no more than once per year (except where required by a regulator or following a Security Incident), during business hours, and subject to confidentiality and to not unreasonably disrupting our operations.

15. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms, and any reference in the Terms to a party’s liability means the aggregate liability of that party under the Terms and this DPA combined.

16. Term

This DPA takes effect on the effective date above and remains in effect for as long as we process Customer Personal Data on Customer’s behalf. Provisions that by their nature should survive termination survive.

17. General

This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable there, consistent with the Terms. Except as amended by this DPA, the Terms remain in full force. If any provision is held unenforceable, the remainder remains in effect.

Annex 1 — Details of processing

Subject matter. Our provision of the SellerArmor service to Customer under the Terms.

Duration.For the term of Customer’s subscription and the applicable retention periods set out in the Privacy Policy.

Nature and purpose.Accessing Customer’s authorized Amazon seller account through read-only SP-API roles; ingesting, storing, and analyzing Amazon report data to detect reimbursement opportunities; drafting reimbursement case-appeal text for Customer’s review and submission; maintaining an audit trail; and related support, billing, and security activities.

Types of Customer Personal Data.Limited personal information that may appear in connection with Customer’s business and report data and Amazon connection data, including Amazon selling partner identifiers, marketplace identifiers, and contact or identifying details of Customer’s authorized personnel. End-customer personal information (Amazon buyer names, shipping addresses, phone numbers, and email addresses) is stripped at parse time before persistence and is not retained.

Categories of data subjects.Customer’s authorized users and personnel. (End customers/Amazon buyers are excluded by design, as their personal information is removed at the source.)

Annex 2 — Subprocessors (by category)

  • Cloud hosting and application platform (United States).
  • Database, storage, authentication, and key management (United States).
  • Third-party AI service provider — generation of draft case-appeal text; personal information is removed before transmission and the provider does not use the data to train its models.
  • Email delivery.
  • Error monitoring and analytics.
  • Payment processing.

A current, specific list of Subprocessors is available to connected Customers on request to privacy@sellerarmor.com.

Annex 3 — Technical and organizational security measures

  • TLS encryption in transit and AES-256 encryption at rest.
  • Envelope encryption for OAuth refresh tokens, with master keys held in a key management service.
  • Read-only SP-API roles, so connected tokens cannot modify Customer’s Amazon account.
  • Source-level minimization: end-customer personal information is stripped at parse time before persistence.
  • Tenant isolation through row-level access controls and least-privilege role separation.
  • Audit logging of actions taken in Customer’s account.
  • Documented incident-response procedures.
  • Encrypted storage of secrets and credentials.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Contact

CircuitVista Inc. (operating SellerArmor)
Data protection and privacy: privacy@sellerarmor.com

SellerArmor is not affiliated with, endorsed by, or sponsored by Amazon.com, Inc.