Data Processing Addendum (DPA)

Last Updated: February 2026

1. Purpose

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Doblly ("Processor") and the Merchant ("Controller"). It governs the processing of Personal Data in connection with the Doblly SaaS eCommerce platform.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "GDPR" refers to Regulation (EU) 2016/679. Terms not defined herein shall have the meaning set forth in applicable data protection laws.

3. Roles of the Parties

The Merchant acts as the Data Controller with respect to End Customer data. Doblly acts as a Data Processor, processing Personal Data solely on behalf of the Merchant.

4. Scope of Processing

4.1 Categories of Data Subjects

• Merchants and account users
• End customers (buyers)
• Store visitors

4.2 Categories of Personal Data

• Names, email addresses, phone numbers
• Billing and shipping information
• Transaction and order data
• IP addresses and usage data

4.3 Purpose of Processing

Processing is carried out to provide hosting, order management, store infrastructure, analytics, fraud prevention, AI-assisted tools, and related platform services.

5. Processing Instructions

Doblly shall process Personal Data only in accordance with documented instructions from the Merchant, including instructions provided through the platform interface and Terms of Service.

6. Security Measures

6.1 Technical Measures

• Encryption in transit (TLS)
• Secure infrastructure and firewalls
• Access controls and authentication systems
• Monitoring and intrusion detection

6.2 Organizational Measures

• Employee confidentiality obligations
• Restricted data access
• Security training programs
• Incident response procedures

7. Sub-Processors

Doblly may engage sub-processors for hosting, infrastructure, analytics, payment processing, and support services. Doblly ensures sub-processors are bound by data protection obligations equivalent to those set forth in this DPA. A current list of sub-processors is available upon request.

8. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), Doblly implements appropriate safeguards including Standard Contractual Clauses (SCCs) or other legally approved transfer mechanisms.

9. Personal Data Breach

In the event of a Personal Data breach, Doblly shall notify the Merchant without undue delay and provide relevant information to support compliance with applicable data protection laws.

10. Data Subject Rights

Doblly shall assist the Merchant, where reasonably possible, in responding to requests from data subjects to access, correct, delete, or restrict Personal Data processing.

11. Retention & Deletion

Upon termination of services, Doblly shall delete or return Personal Data, unless retention is required by law. Backups may be retained for limited periods consistent with disaster recovery policies.

12. Audit Rights

Upon reasonable notice, the Merchant may request information necessary to demonstrate compliance. Audits shall be limited to once annually unless required by law.

13. Liability

Each party’s liability under this DPA shall be subject to the limitations of liability set forth in the Terms of Service.

14. Amendments

Doblly may update this DPA to reflect legal or operational changes. Continued use of the platform constitutes acceptance of the updated DPA.

15. Contact

For data protection inquiries, contact: legal@doblly.com