Data Processing Addendum

The short version

This DPA governs how Skucast processes personal data on behalf of merchants. The merchant is the controller; Skucast is the processor. We process only the data described in Annex 1, use the sub-processors in Annex 2 (Cloudflare, Shopify, Anthropic, Resend — billing is handled by Shopify directly), follow the security measures in Annex 3, and notify the merchant within 24 hours of any confirmed data breach. This DPA is incorporated by reference into the Skucast Terms of Service and takes effect automatically when a merchant installs the app.

1. Parties and effective date

This Data Processing Addendum ("DPA") is entered into between Carmotive LLC DBA Skucast, a Michigan limited liability company ("Skucast", "Processor"), and the merchant entity identified during installation of the Skucast application ("Merchant", "Controller").

This DPA is incorporated by reference into the Skucast Terms of Service and becomes effective on the date the Merchant installs Skucast. The DPA continues for the duration of the Merchant's subscription and until all merchant data has been deleted in accordance with Section 11.

2. Definitions

"Applicable Data Protection Laws" means all laws applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679, the "GDPR"), the UK GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (the "CCPA"), and equivalent state laws in Virginia, Colorado, Connecticut, Utah, Texas, and other US jurisdictions as they come into force.
"Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-Processor", and "Supervisory Authority" have the meanings given in the GDPR (or equivalent terms in other Applicable Data Protection Laws).
"Merchant Data" means Personal Data Skucast processes on behalf of the Merchant in connection with providing the Skucast services, as described in Annex 1.
"Services" means the Skucast inventory and purchasing management application and related features.
"SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, adopted by the European Commission in Decision 2021/914.

3. Roles of the parties

For purposes of this DPA, with respect to Merchant Data:

The Merchant is the Controller (or, where applicable, a Processor acting on behalf of its own Controller).
Skucast is the Processor.
Each party will comply with the obligations applicable to its role under Applicable Data Protection Laws.

For Skucast's own account data (Merchant name, billing contact, payment method, etc.), Skucast is the Controller, governed by the Skucast Privacy Policy.

4. Scope and purpose of processing

Skucast will process Merchant Data only to the extent necessary to provide the Services, in accordance with the Merchant's lawful documented instructions, and as set out in this DPA. The Merchant's instructions are reflected in: (a) the Skucast Terms of Service; (b) the configuration choices the Merchant makes within the Skucast application; (c) the API scopes the Merchant grants during install; and (d) any additional written instructions the Merchant provides.

If Skucast believes an instruction from the Merchant violates Applicable Data Protection Laws, Skucast will notify the Merchant promptly and may decline to comply with that instruction.

5. Skucast's obligations

Skucast will:

Process Merchant Data only on documented instructions from the Merchant, including with regard to transfers of personal data to a third country or international organization, unless required to do so by applicable law; in such a case, Skucast will inform the Merchant of that legal requirement before processing (unless the law prohibits such information on important grounds of public interest).
Ensure that all Skucast personnel authorized to process Merchant Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement the technical and organizational measures described in Annex 3 to ensure a level of security appropriate to the risk.
Engage sub-processors only on the terms in Section 7 below.
Taking into account the nature of the processing, assist the Merchant by appropriate technical and organizational measures, insofar as possible, in fulfilling the Merchant's obligation to respond to requests for exercising Data Subject rights.
Assist the Merchant in ensuring compliance with the obligations in Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to Skucast.
At the choice of the Merchant, delete or return all Merchant Data after the end of the provision of the Services, and delete existing copies unless applicable law requires storage of the personal data (see Section 11).
Make available to the Merchant all information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR (see Section 9).

6. Merchant's obligations

The Merchant warrants that:

It has obtained all necessary consents and notices required under Applicable Data Protection Laws for Skucast to process Merchant Data as contemplated by this DPA.
Its instructions to Skucast comply with Applicable Data Protection Laws.
It is responsible for the accuracy, quality, and legality of Merchant Data and the means by which it acquired that data.

7. Sub-processors

The Merchant gives Skucast a general authorization to engage sub-processors. Skucast's current sub-processors are listed in Annex 2.

Skucast will:

Enter into a written agreement with each sub-processor imposing data protection obligations equivalent to those in this DPA.
Remain liable to the Merchant for the performance of each sub-processor's obligations.
Notify the Merchant at least 30 days before adding or replacing a sub-processor, by email to the Merchant's billing contact address and by updating Annex 2 on this page.
If the Merchant objects to the new sub-processor on reasonable data protection grounds, the Merchant may terminate the Services on written notice within 30 days of being notified; in such case the Services will be terminated and pre-paid fees for the unused portion of the term will be refunded.

8. International data transfers

Skucast operates primarily in the United States. Where Merchant Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or any other third country, the SCCs (Module 2: Controller-to-Processor) are incorporated by reference into this DPA and apply to such transfers, with the following choices:

Clause 7 (docking clause): does not apply.
Clause 9 (sub-processor authorization): Option 2 (general written authorization) applies, with a 30-day notice period as described in Section 7.
Clause 11 (redress): the optional language allowing Data Subjects to lodge complaints with an independent dispute resolution body does not apply.
Clause 17 (governing law): the law of the Republic of Ireland.
Clause 18 (forum): the courts of the Republic of Ireland.
Annex I.A (parties): Merchant is the data exporter; Skucast is the data importer. Contact details: as in Section 16.
Annex I.B (description of transfer): as described in Annex 1 of this DPA.
Annex I.C (competent supervisory authority): the Irish Data Protection Commission.
Annex II (technical and organizational measures): as described in Annex 3 of this DPA.

For transfers from the United Kingdom, the UK International Data Transfer Addendum to the SCCs (Version B1.0, in force 21 March 2022) is incorporated. For transfers from Switzerland, the SCCs apply with the adaptations required by the Swiss Federal Data Protection and Information Commissioner.

9. Audits and information rights

Skucast will make available to the Merchant, on reasonable written request, the information necessary to demonstrate compliance with this DPA, including:

The information in this DPA and its Annexes
Summary information about Skucast's security practices, certifications, and audit results (where available)
Responses to the Merchant's reasonable security questionnaires

The Merchant may, at its own expense and on at least 30 days' written notice, audit Skucast's compliance with this DPA no more than once per 12-month period, except where (a) Applicable Data Protection Laws require more frequent audits or (b) a confirmed data breach has occurred during the prior 12 months. Audits will be conducted during normal business hours, will not unreasonably interfere with Skucast's operations, and the auditor must sign a confidentiality agreement satisfactory to Skucast.

10. Personal data breaches

Skucast will notify the Merchant without undue delay, and in any event within 24 hours after becoming aware of a Personal Data Breach affecting Merchant Data. The notification will include, to the extent known:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
The name and contact details of Skucast's data protection contact (see Section 16)
A description of the likely consequences of the breach
The measures Skucast has taken or proposes to take to address the breach and mitigate its possible adverse effects

Skucast will cooperate with the Merchant in good faith to investigate and respond to the breach. As a Processor, Skucast does not notify Supervisory Authorities or Data Subjects directly; the Controller (Merchant) makes that decision and Skucast supports it.

11. Term, return, and deletion of data

This DPA continues for the duration of the Services. On termination of the Services:

Default: Skucast will delete all Merchant Data within 30 days of the effective termination date, including any copies, unless retention is required by applicable law (e.g. invoice records held by Shopify on Skucast's behalf for tax compliance).
On Merchant request: Skucast will instead return Merchant Data to the Merchant in a structured, commonly used, machine-readable format (JSON or CSV), then delete it within 30 days of the return.
Shopify uninstall: when the Merchant uninstalls Skucast from Shopify, Shopify sends the shop/redact webhook approximately 48 hours after uninstall (after a 30-day grace period); on receipt, Skucast deletes all Merchant Data within 30 days.

Skucast will provide written confirmation of deletion on request.

12. Data Subject rights

Skucast will assist the Merchant in responding to Data Subject requests under Applicable Data Protection Laws. The Merchant may request Skucast to:

Provide a copy of all Merchant Data relating to a specified Data Subject (right of access)
Correct inaccurate Merchant Data (right to rectification)
Delete Merchant Data relating to a specified Data Subject (right to erasure)
Restrict processing of Merchant Data (right to restriction)
Export Merchant Data in a structured format (right to portability)

For requests received via Shopify's mandatory customers/data_request and customers/redact webhooks, Skucast will respond within 30 days. For other requests, Skucast will respond within 30 days of receiving the Merchant's written instruction.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Skucast Terms of Service. The parties agree that Skucast is liable to the Merchant for any breach by Skucast of its obligations under this DPA, including those arising from the acts or omissions of its sub-processors, to the extent of Skucast's liability under the SCCs (where applicable).

14. CCPA-specific terms

For Merchants whose Merchant Data includes Personal Information of California residents under the CCPA:

Skucast acts as a Service Provider to the Merchant (the Business).
Skucast will not Sell or Share (as defined in the CCPA) any Personal Information.
Skucast will not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services, or as otherwise permitted by the CCPA.
Skucast will not combine Personal Information received from the Merchant with Personal Information received from any other source, except as permitted by the CCPA.
Skucast certifies that it understands these restrictions and will comply with them.

15. Order of precedence; changes

If there is a conflict between this DPA and the Skucast Terms of Service, this DPA controls with respect to the processing of Personal Data. If there is a conflict between this DPA and the SCCs, the SCCs control.

Skucast may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, the Services, or sub-processors. Material changes will be communicated to Merchants at least 30 days in advance by email to the Merchant's billing contact address. Continued use of the Services after the effective date constitutes acceptance.

16. Contact

Carmotive LLC DBA Skucast
Howell, Michigan, USA
Data protection contact: [email protected]
Security disclosures: [email protected]

Annex 1 — Description of processing

Subject matter

Skucast's processing of Personal Data on behalf of the Merchant in connection with providing inventory forecasting, purchase order management, RMAs, dropship routing, reporting, and (optionally) an embedded AI assistant.

Duration

For the duration of the Merchant's Skucast subscription, plus the deletion period in Section 11.

Nature and purpose

Reading Merchant Data from the Merchant's Shopify account via the Shopify Admin API to compute forecasts, build dropship purchase orders, render printable documents, generate reports, and (if enabled) answer operator queries through the AI panel. Storing derived records (PO and RMA documents, audit logs, forecaster aggregates) in Cloudflare KV to provide the Services on an ongoing basis.

Categories of Data Subjects

The Merchant's customers (end-customers placing orders on the Merchant's Shopify store)

Categories of Personal Data

Customer name (first and last)
Customer shipping address (street, city, region, postal code, country)
Order data: order ID, line items, quantities, SKUs, fulfillment status, dates of sale

Skucast does not process customer email addresses, phone numbers, payment information, marketing-consent state, or storefront-session data.

Special categories of personal data

None.

Frequency of processing

Continuous, in response to merchant operator actions and scheduled background jobs (cron-driven forecaster refreshes, dropship auto-receive, daily reports). Customer Personal Data is read from Shopify on demand and used in-flight; only references (e.g. customer name on a PO line item) are durably stored.

Annex 2 — Sub-processors

Current sub-processors as of the effective date:

Sub-processor	Service	Location of processing	Privacy / DPA reference
Cloudflare, Inc.	Hosting (Workers, KV, Pages), DDoS protection, TLS termination, request logging	United States (primary), with global edge locations	cloudflare.com/cloudflare-customer-dpa
Shopify Inc.	Source system for all Merchant Data; Skucast reads via Admin API. Shopify is also a Sub-Processor relationship per Shopify's Partner agreement.	United States, Canada	shopify.com/legal/dpa
Anthropic, PBC	Claude API for the optional embedded AI assistant (only invoked when the Merchant has enabled the feature)	United States	anthropic.com/legal/commercial-terms
Resend, Inc.	Outbound transactional email (cron summaries, vendor purchase orders, security notifications)	United States	resend.com/legal/dpa

Skucast will notify Merchants at least 30 days before adding or replacing a sub-processor, by email to the Merchant's billing contact and by updating this Annex.

Annex 3 — Technical and organizational measures

Skucast implements the following measures to ensure the security of Personal Data:

Encryption

All data in transit between the Merchant, Skucast workers, Skucast Pages, and sub-processors is encrypted using TLS 1.2 or higher.
All data at rest in Cloudflare KV is encrypted at the platform level.
Secrets (API keys, tokens) are stored in Cloudflare Workers Secrets, encrypted at rest.

Access control

Production system access (Cloudflare dashboard, Shopify Partners, deployment tooling) is restricted to authorized Skucast personnel and protected by two-factor authentication.
Merchant dashboard access requires a Shopify session token validated on every request.
Skucast does not operate shared credentials; each operator session is individually attributable.

Network security

Production runs on Cloudflare's global edge network, with built-in DDoS protection.
HTTP endpoints requiring authentication enforce session validation before processing any merchant-scoped data.
Inbound webhooks from Shopify and Stripe are HMAC-validated.

Audit logging

Every mutating action on Merchant Data (PO create, RMA create, settings change, etc.) writes an audit log entry tagged with operator identity, timestamp, and request ID.
Cloudflare Workers request logs capture every worker invocation for 30 days.
Audit log entries are retained for 2 years.

Test and production separation

Skucast operates a separate staging environment (`skucast-staging` worker, separate KV namespaces) that never contains real Merchant Data.
Development and testing use synthetic data or Merchant-authorized test stores only.

Backup and durability

Cloudflare KV provides multi-region replication as the durability layer; Skucast does not maintain separate backup destinations.
Source of truth for most Merchant Data is the Merchant's Shopify account, which is re-readable on demand if KV-stored derived records were ever lost.

Vulnerability management

Dependencies are tracked via package manifests and reviewed for known vulnerabilities.
Security advisories from Shopify, Cloudflare, Anthropic, and Resend are monitored.
Security disclosures from external researchers can be submitted to [email protected].

Incident response

Skucast maintains a documented internal Security Incident Response Policy.
Confirmed Personal Data Breaches are reported to affected Merchants within 24 hours (see Section 10).
Post-mortem records are retained for 7 years.

Personnel

All personnel with access to production systems are bound by confidentiality obligations.
Access is granted on a least-privilege basis and reviewed annually.
On termination or role change, production access is revoked within 24 hours.