Data Processing Agreement

This Data Processing Agreement applies where Listara processes personal data on behalf of a customer as a processor in connection with a paid service, SKU Readiness Pilot, evidence review, or related workflow.

It forms part of the agreement between the customer and Listara unless a separately signed data processing agreement applies.

The customer is the controller of personal data submitted to Listara for processing.

Listara acts as processor where it processes personal data on behalf of the customer and under the customer's documented instructions.

For website visitor data, lead submissions, and Listara's own business operations, Listara may act as controller as described in the Privacy Policy.

The subject matter of processing is the provision of product evidence-readiness services, including review, structuring, classification, mapping, reporting, communication, and support.

The processing continues for the duration of the relevant service relationship and any applicable retention period, unless earlier deletion or return is agreed.

Processing may include collecting, receiving, storing, organizing, structuring, reviewing, extracting, classifying, comparing, annotating, transmitting, deleting, or returning customer-provided data.

The purpose is to deliver Free Evidence Check follow-up, SKU Readiness Pilots, paid reviews, product evidence workflows, report generation, customer communication, security, support, and related operational services.

Processed data may include:

• business contact data • customer user data • product URLs and ASINs • shop URLs • supplier contact details where included in documents • product and catalog metadata • product compliance documents • supplier documents • screenshots • labels • certificates • test reports • SDS • declarations of conformity • manuals • workflow metadata • email and delivery metadata

Special categories of personal data are not intended to be processed.

Data subjects may include:

• customer employees and contractors • supplier contacts • agency contacts • marketplace or retailer contacts where included in submitted materials • Listara users and business contacts

Listara will process personal data only on documented instructions from the customer, including instructions in the agreement, order, service scope, or written communication, unless required by law.

If Listara believes an instruction violates applicable data protection law, Listara may notify the customer.

Listara will ensure that persons authorized to process personal data are subject to confidentiality obligations or appropriate statutory duties of confidentiality.

Listara will implement appropriate technical and organisational measures designed to protect personal data.

Measures may include:

• encrypted transmission • access controls • least-privilege access • role-based permissions • secure hosting and database providers • logging and monitoring • separation of environments where appropriate • backup and recovery controls where applicable • deletion or retention controls • internal access restrictions • provider security review where feasible

The customer authorizes Listara to use sub-processors to deliver the service.

Listara maintains a list of sub-processors on the Sub-processors page.

Listara will require sub-processors to provide data protection obligations appropriate to their processing activities.

Where required by law or contract, Listara will provide notice of material changes to sub-processors.

Where processing involves transfers outside the European Economic Area or other protected jurisdictions, Listara will use appropriate safeguards where required, such as adequacy decisions, standard contractual clauses, or equivalent contractual and organizational safeguards.

Taking into account the nature of processing and the information available to Listara, Listara will reasonably assist the customer with:

• responding to data subject requests • security obligations • personal data breach notifications • data protection impact assessments where applicable • deletion or return requests

Listara will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data processed by Listara as processor.

The notification will include information reasonably available to Listara to help the customer meet its obligations.

At the end of the service relationship, Listara will delete or return customer personal data according to the agreement, unless retention is required by law.

Uploaded files for paid reviews are deleted within 30 days after project completion unless otherwise agreed.

Listara will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and reasonable operational limitations.

Any audit must be conducted in a way that does not compromise security, confidentiality, other customers' data, or system integrity.

Subject matter: Product evidence-readiness review and related workflows.

Purpose: SKU-level evidence mapping, readiness review, report generation, communication, and support.

Duration: For the term of the service and applicable retention periods.

Data categories: Business contact data, product evidence data, catalog data, document metadata, supplier data where included, workflow metadata.

Data subjects: Customer personnel, supplier contacts, agency contacts, business contacts contained in submitted materials.

Listara's measures may include:

• controlled access to production systems • use of reputable hosting, database, email, and workflow providers • encrypted transport for web traffic • limited personnel access based on need • review of uploaded files only for service delivery • deletion processes for uploaded files • monitoring of submission and workflow status • separation of customer data where supported by system architecture

For DPA questions, contact legal@listara.eu.