This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement (“Principal Agreement”) between:

• Processor: B2Bridge B2B Wholesale Pricing, a Shopify app developed and operated by BSS Commerce.
• Controller: The Shopify Merchant who installs and uses the B2BRIDGE App

Together, the Processor and Controller are the “Parties.”

1. Subject Matter and Purpose

The purpose of this DPA is to define the rights and obligations of the parties regarding the processing of personal data by B2BRIDGE on behalf of the Merchant.

B2BRIDGE provides B2B functionalities such as customer registration, auto-approval, and manual order creation.

The App does not perform behavioral tracking or session recording of customers.

2. Duration

This DPA remains in effect for as long as the Merchant uses the App and until all personal data processed on behalf of the Merchant has been deleted in accordance with this DPA (Annex II).

3. Categories of Data Subjects

The categories of data subjects whose personal data may be processed include:

• Customers who register via the B2BRIDGE registration form.
• The Merchant’s staff or authorized users managing the app (for app access and configuration purposes).

4. Types of Personal Data

The types of personal data processed may include:

• Customer data: name, email, phone number, password (used only during registration; not stored in our database), registration details.
• Merchant data: Shopify store information, contact email, app usage configuration.
• Excluded Data: No payment card data, social security numbers, or other sensitive identifiers are collected.

5. Obligations of the Controller

The Controller shall:

• Ensure that all personal data provided to B2BRIDGE has been lawfully collected.
• Provide instructions to B2BRIDGE regarding data processing.
• Maintain appropriate legal basis for processing under applicable data protection laws.
• Inform data subjects as required by law.

6. Obligations of the Processor

The Processor agrees to:

• Process personal data only on documented instructions from the Controller.
• Ensure that authorized personnel are bound by confidentiality.
• Implement the technical and organizational security measures described in Annex I.
• Assist the Merchant in fulfilling obligations related to data subject rights.
• Delete or return personal data at the end of service provision in accordance with Annex II.

7. Sub-processors

B2BRIDGE engages third-party Sub-processors to support service delivery.

Details of current Sub-processors are listed in Annex III.

Each Sub-processor is bound by written agreements ensuring the same level of data protection as required by this DPA.

8. International Data Transfers

8.1 Personal data processed by the Processor may be stored and processed in the United States (e.g., the Linode hosting facility in Seattle, WA).

8.2 Where personal data originating from the European Economic Area (EEA) is transferred outside the EEA, such transfers will be protected by Standard Contractual Clauses (SCCs) or other legally valid mechanisms.

9. Security Measures

B2BRIDGE implements appropriate technical and organizational measures to protect personal data, as outlined in Annex I.

These include encryption, access control, network protection, and system monitoring.

10. Data Subject Rights

B2BRIDGE shall assist the Merchant, as reasonably possible, in responding to data subject requests for access, correction, erasure, or restriction of processing.

11. Audit & Reporting

Upon reasonable request, B2BRIDGE shall provide documentation or other information necessary to demonstrate compliance with this DPA.

Any audits shall be limited to once per year and conducted during normal business hours, unless required by law.

12. Data Breach Notification

In the event of a personal data breach, B2BRIDGE shall notify the Merchant without undue delay, providing relevant details and recommended mitigation steps.

13. Liability & Indemnity

To be agreed upon by the Parties in the Principal Agreement. Typically: each Party is liable for damages arising from its own breach of data protection obligations.

14. Termination

Upon termination of the Principal Agreement:

• The Controller may instruct the Processor to return or delete personal data.
• Unless otherwise instructed, the Processor will delete personal data according to Annex II.

15. Governing Law & Jurisdiction

This DPA shall be governed by the laws of Vietnam, unless otherwise required by applicable data protection law.

By installing and using the B2BRIDGE app, the Merchant agrees to this Data Processing Agreement.

Annex I – Technical & Organizational Security Measures

B2BRIDGE maintains the following measures to ensure the protection of personal data:

• Encryption: Secure encryption for data in transit and at rest.
• Access Control: Limited access to authorized personnel only.
• Network Security: Firewall and DDoS protection via Cloudflare.
• Hosting Security: Secure server environment on Linode (US).
• Monitoring & Logging: Continuous monitoring and logging of unusual activity.
• Backups: Regular encrypted backups to ensure data availability.

Annex II – Data Retention & Deletion

• Upon App uninstallation, all personal data will be automatically deleted within 30 days.
• The Merchant may request earlier deletion via written notice.
• Backup data is purged in accordance with the same timeline.

Annex III – Sub-processors

• Linode – Hosting & Database (Region: US, Seattle, WA).
• Cloudflare – CDN, WAF, DDoS Protection.
• Mailgun – Transactional Emails.