Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and Scepter Software LLC, a Michigan limited liability company operating the retailerapi Service ("retailerapi", "we", "us"), and governs the processing of Personal Data by retailerapi on behalf of the Customer where such processing is subject to Data Protection Laws (GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and analogous regimes). It is auto-incorporated into the Terms of Service when a Customer is acting as a Controller and retailerapi is acting as a Processor.

1. Scope and roles

retailerapi is a product-data API. The personal data we process on the Customer's behalf is limited to (a) the Customer's own account, billing, and usage data, and (b) any data the Customer voluntarily includes in API requests beyond the public product identifier. retailerapi does not collect personal data about the Customer's end users in the ordinary course of operating the Service. In the few cases where processing of end-user personal data occurs at the Customer's direction (for example, if the Customer chooses to associate a UPC lookup with an end-user session ID in a custom header), the Customer is the Controller and retailerapi is the Processor.

2. Processing instructions

retailerapi processes Personal Data only on the Customer's documented instructions, which are the Terms of Service, this DPA, the technical configuration of the Customer's account, and the explicit content of each API request. retailerapi will inform the Customer if, in its opinion, an instruction infringes the GDPR or other Data Protection Laws.

3. Confidentiality

retailerapi ensures that personnel authorized to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

4. Security measures

retailerapi implements appropriate technical and organizational measures to protect Personal Data, including: TLS 1.3 in transit, AES-256 at rest in Postgres, hashed storage of API keys (no plaintext retention), hardware-MFA on all production console access, automated dependency scanning on every deploy, row-level security (RLS) policies that scope data to its owning organization, append-only audit logs for API usage, and short-window retention on server access logs (30 days).

5. Sub-processors

The Customer authorizes retailerapi to engage the sub-processors listed at /legal/subprocessors. retailerapi will notify the Customer of any intended additions or replacements at least 30 days in advance, by email to the billing contact and via the changelog. If the Customer reasonably objects on Data Protection grounds, the Customer may terminate the affected portion of the Service for a pro-rata refund of any prepaid fees.

6. International transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country that does not provide an adequate level of protection, retailerapi relies on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, and the EU–US Data Privacy Framework (and the UK Extension thereto), as applicable. By executing the Terms of Service, the parties are deemed to have entered into the SCCs, with retailerapi as the data importer and the Customer as the data exporter.

7. Data subject rights

retailerapi will reasonably assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) submitted under applicable Data Protection Laws. Customers can self-serve the deletion of their own account data via software@sceptermarketing.com; we respond within 30 days.

8. Personal Data Breach notification

retailerapi will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Customer's data. The notice will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

9. Audits

retailerapi will make available to the Customer, on request, information reasonably necessary to demonstrate compliance with this DPA, including the most recent available third-party audit summaries or security questionnaire responses. For enterprise customers under a separate signed agreement, on-site or video audits may be arranged on reasonable advance notice no more than once per year, except where required by a supervisory authority or following a Personal Data Breach.

10. Deletion or return on termination

On termination of the Service, retailerapi will, at the Customer's choice, delete or return all Personal Data processed on the Customer's behalf, subject to a 60-day soft-delete window for accidental closures and any legal retention obligation (e.g., billing records retained 7 years for US tax compliance).

11. CCPA / CPRA

For California residents, retailerapi acts as a Service Provider under the CCPA/CPRA and processes Personal Information only on the Customer's behalf and for the purposes specified in the Terms of Service. retailerapi does not retain, use, or disclose Personal Information for any purpose other than performing the Service, or as otherwise permitted by the CCPA. retailerapi does not "sell" or "share" (as those terms are defined under the CCPA/CPRA) Personal Information.

12. Order of precedence

In case of conflict between this DPA and the Terms of Service or any other agreement between the parties, this DPA controls solely with respect to the processing of Personal Data. All other terms of the Terms of Service remain in force.

Contact: email software@sceptermarketing.com. Postal mail: Scepter Software LLC, c/o Matt Hall, 2844 East Grand River Ave, East Lansing, MI 48823, USA.

See also: Privacy Policy · Terms of Service · Sub-processors.