Data Processing Agreement

1. Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SASU Kaupr Europe ("Processor", "we") and the Customer ("Controller", "you"). It governs our processing of personal data on your behalf when end users (visitors to your site) interact with the Kaupr widget you have installed.

2. Subject matter and duration

Subject matter: processing of end-user search queries, click events, and (where you enable it) order-attribution data, in order to provide search and analytics functionality to your website.

Duration: while you have an active Kaupr account.

3. Nature and purpose of processing

We process end-user personal data to:

• Match queries to your catalog and return search results.
• Record query, click, and (optionally) order-attribution metrics so you can see how your shoppers use search.
• Aggregate and de-identify usage signals to improve the Kaupr service overall.

4. Categories of data and data subjects

Categories of data subject: visitors to your website who use the Kaupr widget.

Categories of personal data: as set out in the Privacy Policy section "What we collect about end users". Notably:

• Search query text (may incidentally contain personal data if a user enters their own name or address into a search box — we do not solicit this).
• Anonymous session id (browser-scoped, not joined to identity).
• User-Agent and IP address (the IP is used at log time only for country resolution and is not exposed in any UI or export).
• Order id, cart value, currency, and item count (where the Controller enables order attribution).

Kaupr does not solicit or knowingly process special-category data.

5. Controller's obligations

As Controller, you are responsible for:

• Having a lawful basis to collect end-user data via the Kaupr widget on your site.
• Providing end users with a privacy notice that discloses the use of search analytics, the categories of data processed, and the existence of this DPA.
• Responding to data-subject requests directed to you. We will assist as set out in section 8.

6. Processor's obligations

We will:

• Process personal data only on your documented instructions (the Terms, this DPA, and configuration in your account).
• Ensure persons authorised to process the data have committed to confidentiality.
• Implement appropriate technical and organisational measures (TOMs), as described in Annex II.
• Engage sub-processors only as listed in section 7 and on equivalent contractual terms.
• Assist you with data-subject requests under section 8.
• Notify you without undue delay of any personal data breach.
• Make available all information necessary to demonstrate compliance with Article 28.

7. Sub-processors

Current sub-processors: as listed in the Privacy Policy section "Sub-processors". We will provide 30 days' written notice before adding any new sub-processor and afford you the opportunity to object on reasonable data-protection grounds.

8. Data-subject requests

If we receive a data-subject request directed at you (the Controller), we will forward it within 5 business days. To assist with requests directed at you, we provide:

• Self-serve deletion of all data linked to a session id, on request via the dashboard or by email to privacy@kaupr.com.
• Export of all stored data linked to an account, on request.

9. International transfers

Where personal data is transferred to a country outside the EEA, the parties incorporate the EU Standard Contractual Clauses (Decision 2021/914) by reference, with the following Module(s): Controller-to-Processor (Module 2). We will provide the executed SCCs on request for sub-processors located outside adequate countries.

10. Audit

We will provide on request a summary of our most recent independent audit findings (or, in the absence of formal audit, our internal TOM documentation). Customers on Enterprise plans may request a bespoke audit subject to reasonable scope and frequency limits.

11. Return or deletion

On termination of the Service, we will delete or return all personal data processed on your behalf, at your choice, within 30 days. Aggregated anonymous metrics retained for product improvement do not constitute personal data and are not affected.

Annex I — Description of processing

(See sections 3–4.)

Annex II — Technical and Organisational Measures (TOMs)

• Encryption in transit (TLS 1.2+) for all customer-facing endpoints.
• Encryption at rest for the primary database.
• Access control: role-based access; staff with access limited to those whose duties require it.
• Logging: administrative actions logged for audit.
• Backup: daily snapshots, 7-day retention for the production database.
• Incident response: documented process, with breach notifications fired within 72 hours of confirmation.

For Enterprise customers requiring a counter-signed DPA, contact legal@kaupr.com.