Data Processing Agreement

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Data Controller" means the Merchant who determines the purposes and means of processing.
• "Data Processor" means Slingshot, who processes data on behalf of the Merchant.

Slingshot processes Personal Data solely to provide back-in-stock notification services. The categories of data processed include:

• Customer email addresses
• Customer phone numbers (if SMS enabled)
• Product subscription preferences
• Notification delivery and engagement data

Slingshot agrees to:

• Process Personal Data only on documented instructions from the Merchant
• Ensure persons authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Merchant in responding to data subject requests
• Delete or return all Personal Data upon termination of services
• Make available all information necessary to demonstrate compliance

Slingshot uses the following sub-processors:

• Resend Inc. (USA) - Email delivery
• Twilio Inc. (USA) - SMS delivery
• Neon Inc. (USA) - Database hosting
• Vercel Inc. (USA) - Application hosting

Personal Data may be transferred to the United States. Such transfers are protected by Standard Contractual Clauses approved by the European Commission.

Slingshot implements the following security measures:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication
• Regular security assessments
• Incident response procedures

Slingshot will notify the Merchant of any Personal Data breach without undue delay and within 72 hours of becoming aware of the breach.