Data Processing Agreement

1. Parties & Roles

This Data Processing Agreement (“DPA”) governs the processing of personal and catalog data by NSOLVIA Inc. (“Processor”) on behalf of the merchant (“Controller”) using NSOLVIA DATA services. The merchant determines what catalog data is processed; NSOLVIA only processes that data on the merchant’s instructions.

2. Data Processed

• Product titles, descriptions, prices, images, variants
• Product categories, tags, and structured attributes
• Merchant identifiers (store URL, plan, contact email)

3. Purpose

Catalog data is processed solely to normalize, enrich, and distribute it through the feeds and APIs activated by the merchant — Google Shopping, Meta, Pinterest, ChatGPT, semantic search, and the merchant dashboard. Data is never used for purposes outside these activated services.

4. Sub-processors

• Supabase — encrypted database storage (USA)
• Vercel — serverless hosting (USA)
• OpenAI — catalog enrichment and embeddings

NSOLVIA will notify merchants of new sub-processors at least 30 days before engaging them.

5. Security Measures

• Encryption in transit (HTTPS / TLS 1.2+)
• Encryption at rest for all stored catalog data
• Access via per-merchant bearer tokens — service keys never exposed client-side
• Role-based access for internal NSOLVIA staff with audit logging

6. Data Transfers

Catalog data is stored in the United States via Supabase. International merchants consent to this transfer by accepting these terms. Standard Contractual Clauses are available on request for merchants subject to GDPR or equivalent regimes.

7. GDPR Rights

Merchants may exercise GDPR rights — access, rectification, deletion, portability, objection — by emailing team@nsolvia.com. Requests are processed within 30 days.

8. Term & Termination

This DPA remains in force for the duration of the NSOLVIA DATA subscription. Upon termination, all merchant catalog data is permanently deleted within 30 days.

9. Contact

DPA questions or sub-processor disclosures: team@nsolvia.com.