Legal
Data Processing Addendum
Effective date: June 1, 2025 · Last updated: April 3, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between ResellerIO ("Processor") and the customer ("Controller") who uses the ResellerIO Service. It sets out the terms under which ResellerIO processes personal data on behalf of the Controller.
1. Definitions
- Personal Data — any information relating to an identified or identifiable natural person processed under this DPA.
- Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- Sub-processor — any third party engaged by ResellerIO to process Personal Data.
- GDPR — the EU General Data Protection Regulation 2016/679 and any applicable national implementations.
- CCPA — the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) and the CPRA amendments.
2. Scope and Role
ResellerIO acts as a Processor with respect to Personal Data that the Controller submits to the Service. The Controller determines the purposes and means of processing. Each party agrees to comply with applicable data protection laws.
3. Subject Matter of Processing
| Nature | Storage, AI-assisted analysis, image processing, export generation, and delivery of the ResellerIO platform. |
| Purpose | Providing the features described in the Privacy Policy and any order documentation. |
| Duration | For the term of the customer's active subscription or account, plus any legally required retention period thereafter. |
| Data types | Email addresses, hashed passwords, API token metadata, product descriptions, product images, storefront content, marketplace copy, pricing data, public inquiry metadata, billing identifiers, and usage/security logs. |
| Data subjects | Users and customers of the Controller who interact with the ResellerIO platform. |
4. Processor Obligations
ResellerIO shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
- Ensure that persons authorised to process the Personal Data have committed to confidentiality.
- Implement appropriate technical and organisational security measures as described in Section 7.
- Assist the Controller in responding to Data Subject rights requests within 30 days.
- Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.
- Delete or return all Personal Data to the Controller upon termination of the Service, at the Controller's choice, unless retention is required by law.
- Make available all information necessary to demonstrate compliance with this DPA and allow audits conducted by the Controller or an authorised auditor.
5. Sub-processors
ResellerIO hereby notifies the Controller of the following approved sub-processors and processing categories used to operate the Service.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google LLC (Gemini API) | AI image analysis, description generation, pricing research | USA |
| SerpAPI, LLC | Market price research via search index queries | USA |
| Photoroom SAS | Background removal and image cleanup | As configured by provider |
| Tigris-compatible object storage provider | Object storage for product media and import/export archives | As configured by ResellerIO |
| Public media delivery / CDN provider | Public delivery of storefront assets and images when configured | As configured by ResellerIO |
| LemonSqueezy | Subscription billing, checkout, and webhook processing | USA |
ResellerIO will provide at least 30 days' prior written notice before adding or replacing any sub-processor. The Controller may object in writing within that period.
6. International Transfers
All primary processing takes place in the United States. Where ResellerIO transfers Personal Data to sub-processors, it ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or other mechanisms approved under applicable data protection law.
7. Security Measures
ResellerIO implements the following technical and organisational measures:
- TLS encryption in transit for all data exchanges.
- Encryption at rest for stored objects where supported by the configured storage provider.
- Password hashing using PBKDF2-SHA256 before storage; API tokens hashed before storage.
- HttpOnly session cookies with SameSite protections and Secure cookies in production.
- HTTPS enforcement and HSTS in production deployments.
- Origin allowlists for browser-based API access.
- Signed object-storage upload/download workflows and HMAC-verified billing webhooks.
- Rate limiting for public storefront inquiries and archive validation for imports.
- Least-privilege access controls and role-based separation for infrastructure.
- Operational logging and monitoring for service health, abuse prevention, and incident response.
8. Data Subject Rights Assistance
ResellerIO will, upon request, assist the Controller in fulfilling its obligations to respond to Data Subject rights requests (access, rectification, erasure, restriction, portability, and objection) taking into account the nature of the processing and the information available to ResellerIO.
9. Data Breach Notification
In the event of a confirmed Personal Data breach, ResellerIO will notify the Controller within 72 hours of becoming aware of the breach, providing sufficient information to allow the Controller to meet its own notification obligations.
10. Term and Termination
This DPA remains in effect for the duration of the Service agreement. Upon termination, ResellerIO will delete or return all Personal Data within 30 days unless applicable law requires longer retention. Obligations of confidentiality and security survive termination.
11. Governing Law
This DPA is governed by the laws of the State of Texas, United States, without regard to its conflict of law provisions, unless a mandatory provision of applicable data protection law requires otherwise.
12. Contact
Data protection enquiries: privacy@resellerio.com