Data Processing Agreement

This DPA forms part of the agreement between the customer ("Customer," controller) and Amaretta LLC dba Visibility Mesh ("Processor") and applies where Processor processes personal data on Customer's behalf.

1. Subject matter, duration, nature, purpose

Processing of personal data contained in Customer-submitted URLs, page content, uploaded files, and connected-store data, solely to provide the assessment, reporting, progress-tracking, and remediation services, for the duration of the agreement plus the wind-down period in §7. Processor may also create and use de-identified, aggregated data derived from the processing for benchmarking, analytics, and Service improvement; such data does not identify any data subject and is not personal data, and Processor maintains it in de-identified, aggregated form.

2. Categories

Data subjects: Customer's personnel, end customers, and site visitors whose data appears in scanned/uploaded content. Data categories: identifiers and contact data, commercial information, content data. No sensitive/special categories are intended; Customer shall not submit them.

3. Processor obligations

Process only on documented instructions (the agreement and Service configuration constitute instructions); ensure confidentiality undertakings for all personnel; implement the technical and organizational measures in Annex B; assist with data-subject requests and DPIAs as reasonably required; make available information necessary to demonstrate compliance and allow audits (max once annually, 30 days' notice, at Customer's cost, under confidentiality, satisfiable by third-party audit reports where available).

4. Sub-processors

Customer provides general authorization for the sub-processors in Annex A. Processor will give 30 days' notice of changes (email of record); Customer may object on reasonable data-protection grounds, in which case the parties will cooperate on a solution or Customer may terminate the affected service for the portion affected. The thirty-day notice period is provided as a reasonable period consistent with applicable data-protection requirements.

Annex A. Current sub-processors: Anthropic (AI analysis, US); Supabase (database/storage, US); Railway (hosting, US); Make.com (workflow automation, US); Shopify (commerce/billing, CA/US); Resend (transactional email, US).

5. Breach notification

Processor notifies Customer without undue delay and within 72 hours of confirming a personal-data breach affecting Customer data, with the information reasonably available, and cooperates on remediation and any required notifications.

6. International transfers

Data is processed in the United States. For EEA/UK Customer data, the parties incorporate the EU Standard Contractual Clauses (Module 2) and the UK Addendum, which the parties will execute upon Customer’s request where required for a transfer of EEA or UK personal data.

7. Return and deletion

On termination, Customer may export reports and data for 30 days; thereafter Processor deletes or de-identifies Customer personal data within 90 days, except as retained by law, with backups aging out per the Privacy Policy.

8. Liability

Liability under this DPA is subject to the limitations in the Terms of Service.

Annex B. Technical and organizational measures: encryption in transit (TLS 1.2+) and at rest; default-deny row-level security and least-privilege access with server-side tenant scoping; multi-factor authentication on all administrative accounts, hardware key on founder-critical accounts, and unique credentials via a password manager; signed short-lived URLs for private deliverable storage; rate limiting and per-account and global spend caps; server-side-request-forgery protection on URL fetchers; webhook signature verification; append-only audit logging on all platforms offering it; monitoring and alerting on error, spend, and authentication anomalies; authenticated sending domain (SPF, DKIM, DMARC); automated dependency security updates; monthly access reviews; documented incident-response runbook; tested backups and point-in-time recovery; environment separation (production and development); watermarked deliverables; data minimization and stated-retention enforcement; and vendor due diligence on all sub-processors.

--- ---