CloudCommerce - Enterprise E-Commerce Platform

This DPA applies when:

Cloud Commerce processes personal data on your behalf (Merchant Customer Data)
You're subject to GDPR, UK GDPR, CCPA/CPRA, or similar privacy laws
You act as Controller/Business, we act as Processor/Service Provider

This DPA supplements our Terms of Service. If conflict regarding personal data processing, DPA controls where required by law.

1. Definitions & Roles

Controller/Business: You (the Merchant)

Processor/Service Provider: Cloud Commerce (LaunchDS LLC)

Personal Data: Data you submit about your customers

2. Processing Scope

Subject Matter	E-commerce operations, AI processing
Duration	Term of agreement + 30 days post-termination
Nature & Purpose	Provide Services, prevent fraud, maintain security
Data Categories	Identifiers, contact info, order data, customer communications
Data Subjects	Your customers/end users

3. Cloud Commerce Obligations

We will:

Process data only per your instructions
Ensure personnel confidentiality
Implement appropriate security measures
Assist with data subject requests
Notify you of breaches within 72 hours
Delete/return data upon termination (30-day window)
Not sell your customer data

4. Subprocessors

We use subprocessors to deliver the Service. Current list: Subprocessors Page

Notice of changes: 30-day advance notice. You may object on data-protection grounds.

5. Security Measures

Encryption: TLS 1.3 in transit, AES-256-GCM at rest
Access control: Role-based, least privilege
Authentication: JWT with rotation
Monitoring: Real-time error/security tracking
Backups: Daily automated, encrypted
Incident response: <72 hour notification

6. Data Subject Rights

We'll assist you with:

Access: Audit pack export (self-service, <5 min)
Deletion: Account deletion + 30-day purge
Rectification: Edit account info in settings
Portability: JSON export format

7. International Transfers

For EU/UK transfers, we use:

EU SCCs (Standard Contractual Clauses 2021/914)
UK Addendum (ICO international transfer addendum)
Module Two: Controller → Processor

8. U.S. State Privacy (CCPA/CPRA)

For California data, we act as Service Provider/Contractor:

Process solely to provide Services
Won't sell personal data
Won't retain/use outside business relationship
Certify understanding of restrictions

9. Audits

Enterprise customers: Annual audit rights. We provide security summaries, SOC2 reports (when available), and compliance questionnaires.

10. Term & Termination

DPA terminates with Terms. Upon termination:

30-day data export window
Data deletion after 30 days (except legal holds)
Backups retained per retention cycles, then deleted

11. Liability

Liability subject to limits in Terms (maximum extent permitted by law).

Document ID: DPA-v1.0.0
Entity: LaunchDS LLC (d/b/a Cloud Commerce)
Address: 94 County Route 18, Lake Clear, NY, USA
Contact: [email protected]
Supplements: Terms of Service v1.0.0

Data Processing Addendum (DPA)