Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Pamete ("Processor", "we", "us") and you ("Controller", "Merchant") for the provision of bookkeeping services.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed under this agreement
  • "Protected Customer Data" means Personal Data belonging to your customers, including names, addresses, and order information
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion
  • "Data Protection Laws" means GDPR, applicable EU member state laws, and any other applicable privacy legislation
  • "Subprocessor" means any third party engaged by us to process Personal Data on your behalf

2. Roles and Responsibilities

You (Controller): You are the data controller for your customers' Personal Data. You determine the purposes and means of processing and are responsible for:

  • Ensuring you have a lawful basis to share customer data with us
  • Informing your customers about third-party processing
  • Responding to customer data subject requests
  • Complying with applicable Data Protection Laws

We (Processor): We act as your data processor, processing Protected Customer Data solely on your behalf and according to your documented instructions. We do not determine the purposes or means of processing Protected Customer Data. We shall not process Protected Customer Data for any purpose other than providing the bookkeeping services in accordance with your documented instructions.

3. Scope of Processing

Categories of Data Subjects

  • Your customers who place orders through Etsy or Shopify

Categories of Personal Data

  • Customer names
  • Customer addresses (shipping/billing)
  • Order details and transaction IDs
  • Items purchased (for itemized bookkeeping and applying product-specific VAT rates)

We do not require customer email addresses, phone numbers, payment card details, or any special category data for the service. If such data is included in platform API responses, we discard it during processing and do not store or use it.

Purpose of Processing

  • Generate accounting documents in country and accounting software specific formats (e.g., SIE files for Swedish accounting systems)
  • Process monthly sales summaries

Duration of Processing

Processing continues for the duration of your use of our service, subject to the retention periods specified in our Privacy Policy. Order and transaction data is processed in memory only and not stored; the only retained Protected Customer Data is within generated accounting documents.

4. Processing Instructions

We will process Protected Customer Data only in accordance with your documented instructions, which include:

  • The processing described in this DPA and our Privacy Policy
  • Processing necessary to provide the bookkeeping service
  • Processing required by applicable law (we will inform you unless prohibited)

If we believe an instruction violates Data Protection Laws, we will promptly notify you.

5. Confidentiality

We ensure that all personnel authorized to process Protected Customer Data:

  • Are bound by confidentiality obligations
  • Process data only as necessary to perform their duties
  • Are trained on data protection requirements

6. Security Measures

We implement appropriate technical and organizational measures to protect Protected Customer Data:

Technical Measures

  • Data residency: All data is stored and processed in EU-based data centers (Render EU region for backend processing, Supabase EU region, Cloudflare R2 EU region)
  • Encryption in transit: All data transmitted via TLS/HTTPS
  • Encryption at rest: Database and file storage encrypted using AES-256 (provided by Supabase and Cloudflare R2)
  • Backup encryption: All backups are encrypted using the same standards as production data
  • Environment separation: Strict separation between test and production environments; no production data in test environments

Organizational Measures

  • Access control: Staff access to Protected Customer Data is limited to personnel who require it to perform their duties
  • Authentication: Strong password requirements enforced for all staff accounts (minimum 12 characters, complexity requirements, MFA required)
  • Access logging: All access to Protected Customer Data is logged and regularly reviewed
  • Data loss prevention: Technical controls prevent unauthorized data extraction or exfiltration

7. Subprocessors

You authorize our use of the following subprocessors:

  • Render Services, Inc. (EU region) - Backend API hosting and application-level data processing
  • Supabase Inc. (EU region) - Database hosting, user authentication, and access control
  • Cloudflare, Inc. (EU region) - Secure document storage, content delivery, and network security

The following providers do not process Protected Customer Data and are outside the scope of this DPA:

  • Stripe, Inc. (USA) - Merchant billing only; no customer data
  • Vercel Inc. (USA) - Static frontend hosting only; no merchant or customer data stored

Connected platforms provide data under your authorization and are not subprocessors:

  • Etsy, Inc. (USA) - Platform data source. We access shop data via API with read-only permissions
  • Shopify Inc. (Canada) - Platform data source. We access shop data via API with read-only permissions

We will notify you before adding new subprocessors. You may object to a new subprocessor within 14 days of notification. If we cannot accommodate your objection, you may terminate the service.

We ensure all subprocessors are bound by data protection obligations no less protective than those in this DPA.

8. Data Subject Rights

We will assist you in responding to data subject requests (access, rectification, erasure, portability, objection) by:

  • Promptly notifying you of any requests received directly
  • Providing you with the ability to access and export data
  • Deleting data upon your instruction
  • Implementing technical measures to support your compliance

9. Security Incident Response

We maintain a security incident response policy that includes:

  • Detection: Monitoring and alerting for security events
  • Classification: Incident severity assessment and escalation paths
  • Response: Defined roles and responsibilities for incident handling
  • Evidence: Procedures for evidence collection and preservation
  • Notification: We will notify you of any Personal Data breach without undue delay and no later than 72 hours after becoming aware
  • Cooperation: We will provide information to help you meet your breach notification obligations

10. Data Deletion and Return

Upon termination of the service or your request:

  • We will provide you with the ability to export your data before deletion
  • We will delete all Protected Customer Data within 30 days
  • We will certify deletion upon request
  • Data may be retained only where required by applicable law, and only for the minimum period required

11. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. We are liable for damage caused by processing that violates this DPA or Data Protection Laws.

12. Term and Termination

This DPA remains in effect for as long as we process Protected Customer Data on your behalf. The obligations regarding confidentiality, data deletion, and security survive termination.

13. Contact

For questions about this DPA or to exercise your rights, contact us at:

Email: support@pamete.com

Last updated: December 2025