Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Use between PantoSource ("Processor," "we," "us," or "our") and the Customer ("Controller," "you," or "your") that accesses our Services. This DPA reflects the parties' agreement with respect to the processing of personal data by PantoSource on behalf of the Customer in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

Quick Summary

• Purpose: Governs how PantoSource processes personal data on behalf of merchants and their end-users.

• Roles: Customer is the data controller; PantoSource is the data processor.

• Data Processed: Order data, customer names, email addresses, phone numbers, billing/shipping addresses, IP addresses, and tracking event data.

• International Transfers: Standard Contractual Clauses (SCCs) apply for transfers from the EEA, UK, and Switzerland.

• Sub-processors: Listed at https://pantosource.com/sub-processors.

• Contact: For DPA inquiries, email privacy@pantosource.com.

1. Definitions

For the purposes of this DPA:

• "Controller" means the Customer who determines the purposes and means of the processing of personal data.

• "Processor" means PantoSource, which processes personal data on behalf of the Controller.

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.

• "Processing" means any operation performed on Personal Data, whether automated or not.

• "Data Subject" means the individual to whom the Personal Data relates (e.g., the Customer's end-users).

• "Sub-processor" means any third party engaged by PantoSource to process Personal Data on its behalf.

• "Applicable Data Protection Laws" means the GDPR, the UK GDPR, the CCPA/CPRA, and other privacy laws applicable to the processing of Personal Data.

2. Roles and Scope

2.1 Roles

The parties acknowledge and agree that:

• The Customer acts as the Controller of Personal Data relating to its end-users (e.g., website visitors and customers).

• PantoSource acts as the Processor of such Personal Data on behalf of the Customer.

2.2 Scope of Processing

PantoSource will process Personal Data only:

• On documented instructions from the Customer (including those given when the Customer configures the Service)

• For the purpose of providing the Services as described in our Terms of Use

• In accordance with this DPA and applicable laws

3. Categories of Data and Data Subjects

3.1 Types of Personal Data Processed

PantoSource processes the following categories of Personal Data on behalf of the Customer:

• Identifiers: Names, email addresses, phone numbers, IP addresses, device identifiers, customer IDs

• Transaction Data: Order IDs, purchase amounts, currency, billing and shipping addresses, product information

• Behavioral Data: Page views, clicks, add-to-cart events, conversions, and other tracking events

• Technical Data: Browser type, operating system, screen resolution, referring URLs, timestamps

3.2 Categories of Data Subjects

The Data Subjects whose Personal Data is processed include:

• The Customer's website visitors

• The Customer's customers (purchasers)

• The Customer's leads or registered users

3.3 Duration of Processing

PantoSource will process Personal Data for the duration of the Customer's subscription to the Services, plus any retention period required by law or specified in our Privacy Policy.

4. Obligations of PantoSource

4.1 Confidentiality

PantoSource will ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

4.2 Security Measures

PantoSource will implement appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)

• Role-based access controls and multi-factor authentication for administrative access

• Regular security assessments and vulnerability scanning

• Staff training on data protection and security best practices

• Logging and monitoring of access to Personal Data

• Secure software development practices

For full details, see our Security page at https://pantosource.com/security.

4.3 Assistance with Data Subject Rights

PantoSource will assist the Customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, and objection) by providing reasonable technical and organizational measures, taking into account the nature of the processing.

4.4 Personal Data Breach Notification

PantoSource will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data breach affecting the Customer's data. The notification will include:

• A description of the nature of the breach

• The categories and approximate number of Data Subjects and records affected

• The likely consequences of the breach

• The measures taken or proposed to address the breach

4.5 Records of Processing

PantoSource will maintain records of all categories of processing activities carried out on behalf of the Customer, as required by Article 30 of the GDPR.

5. Sub-processors

5.1 Authorization

The Customer provides general authorization to PantoSource to engage Sub-processors to process Personal Data, subject to the conditions in this Section.

5.2 List of Sub-processors

A current list of Sub-processors is available at https://pantosource.com/sub-processors. PantoSource will notify the Customer of any intended changes to Sub-processors by updating this list. Customers can subscribe to notifications of changes through the page.

5.3 Sub-processor Obligations

PantoSource will:

• Enter into written agreements with each Sub-processor that impose data protection obligations at least as protective as those in this DPA

• Remain liable for the acts and omissions of its Sub-processors as if they were its own

5.4 Objection Rights

If the Customer reasonably objects to a new Sub-processor, the Customer may terminate the Services without penalty within thirty (30) days of the notification.

6. International Data Transfers

6.1 Primary Data Location

Personal Data is processed and stored primarily in the United States.

6.2 Cross-Border Transfers

For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or other third countries, PantoSource will rely on:

• The European Commission's Standard Contractual Clauses (SCCs), Module Two (Controller to Processor), incorporated by reference into this DPA, or

• Other lawful transfer mechanisms recognized under applicable data protection laws

6.3 Supplementary Measures

PantoSource implements additional safeguards including encryption, access controls, and contractual measures to ensure that transferred Personal Data is protected to a standard equivalent to that required by EU law.

7. Audits

7.1 Audit Rights

The Customer may, at its own expense and no more than once per twelve (12) month period, audit PantoSource's compliance with this DPA. Audits must be:

• Requested in writing at least thirty (30) days in advance

• Conducted during normal business hours

• Reasonable in scope and duration

• Subject to confidentiality obligations

7.2 Alternative Evidence

In lieu of an on-site audit, PantoSource may provide the Customer with copies of relevant third-party audit reports, certifications (e.g., SOC 2, ISO 27001), or self-assessments, where available.

8. Return and Deletion of Personal Data

8.1 Upon Termination

Upon termination of the Services, PantoSource will, at the Customer's choice:

• Return all Personal Data to the Customer in a structured, commonly used, machine-readable format, or

• Delete all Personal Data from PantoSource's systems

8.2 Retention Exceptions

PantoSource may retain Personal Data to the extent required by applicable law, in which case PantoSource will:

• Inform the Customer of the legal retention requirement

• Continue to protect the Personal Data in accordance with this DPA

• Delete the Personal Data once the legal retention period expires

9. Liability

The parties' respective liability under this DPA is governed by the limitations of liability set out in the Terms of Use.

10. . Order of Precedence

In the event of any conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to the processing of Personal Data.

11. . Governing Law

This DPA is governed by the laws of the State of Wyoming, United States, except where applicable data protection law requires otherwise.

12. . Contact

For DPA-related inquiries:

Panto Martech LLC d/b/a PantoSource

Address: 2333 Brickell ave D1 #36 Miami FL 33129

Email: privacy@pantosource.com

To request a signed copy of this DPA, please email privacy@pantosource.com with the subject line "DPA Request."