Data Processing Agreement

1. Definitions

• Controller: You, our customer, who determines the purposes and means of processing.
• Processor: Karbon Analytics, who processes data on your behalf.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data.

2. Scope of Processing

Karbon Analytics processes personal data only as necessary to provide our analytics services. This includes:

• Customer transaction data from connected e-commerce platforms
• Marketing analytics data from advertising platforms
• Website analytics data from connected properties

3. Our Obligations

As a data processor, we commit to:

• Process data only according to your documented instructions
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist you in responding to data subject requests
• Delete or return all personal data upon termination
• Make available information necessary for compliance audits

4. Sub-processors

We use the following sub-processors:

• Amazon Web Services (AWS): Cloud infrastructure (US)
• Polar/Stripe: Payment processing
• OpenAI: AI features (anonymized data only)

5. Data Transfers

Data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.

6. Security Measures

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication
• Regular security assessments
• Incident response procedures

7. Data Breach Notification

We will notify you of any personal data breach without undue delay, and within 72 hours where feasible, providing all relevant details required under GDPR Article 33.

8. Contact

For DPA-related inquiries, please contact us.