Spectrum Data Processing Addendum

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. The following definitions apply:

"Authorized Affiliate" means any entity that controls, is controlled by, or is under common control with the Customer and is permitted to use the Services under the Agreement.

"Customer Personal Data" means Personal Data that Spectrum processes on behalf of the Customer in connection with providing the Services, including data relating to the Customer’s end-users (shoppers).

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and other comparable US state privacy laws.

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Personal Data Breach" have the meanings given in the GDPR (or, where applicable, the equivalent terms under other Data Protection Laws, including “business,” “service provider,” “consumer,” and “process” under the CCPA).

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, and the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office.

"Sub-processor" means any third party engaged by Spectrum to process Customer Personal Data on its behalf.

2.1. With respect to Customer Personal Data, the Customer is the Controller (or, under the CCPA, the Business) and Spectrum is the Processor (or, under the CCPA, the Service Provider). Each party will comply with its respective obligations under Data Protection Laws.

2.2. Spectrum is a "service provider" within the meaning of the CCPA. Spectrum will not (a) sell or share (as those terms are defined under the CCPA) Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Services or as otherwise permitted by the CCPA; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship with the Customer; or (d) combine Customer Personal Data with Personal Data received from other sources, except as permitted by the CCPA.

3.1. This DPA applies to the processing of Customer Personal Data by Spectrum in connection with providing the Services to the Customer.

3.2. The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are set out in Annex 1 (Description of Processing).

3.3. This DPA remains in effect for the duration of the Agreement and any period during which Spectrum continues to process Customer Personal Data after termination, until such data has been returned or deleted in accordance with Section 14.

4.1. Spectrum will process Customer Personal Data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do so by applicable law (in which case Spectrum will inform the Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest).

4.2. The Customer’s use of the Services as configured through the Spectrum platform constitutes the Customer’s documented instructions to Spectrum to process Customer Personal Data for the purposes set out in Annex 1. The Customer may issue additional written instructions consistent with the Agreement.

4.3. Spectrum will inform the Customer if, in Spectrum’s opinion, an instruction infringes Data Protection Laws.

Spectrum will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and have received training on their data protection responsibilities.

6.1. Spectrum will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as set out in Annex 2 (Technical and Organizational Measures).

6.2. Spectrum may update the measures in Annex 2 from time to time provided that such updates do not materially diminish the overall level of security.

7.1. General authorization. The Customer provides general written authorization for Spectrum to engage Sub-processors to process Customer Personal Data, subject to this Section 7.

7.2. Current Sub-processors. A current list of Spectrum’s Sub-processors is set out in Annex 3 (Sub-processors) and is also available to the Customer on request at support@tectonic.so.

7.3. Notification of changes. Spectrum will notify the Customer of any intended addition or replacement of a Sub-processor at least 30 days in advance, giving the Customer the opportunity to object on reasonable grounds related to data protection.

7.4. Right to object. If the Customer reasonably objects to a new Sub-processor on data protection grounds and the parties cannot agree on a resolution within 30 days of the Customer’s objection, the Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services by providing written notice to Spectrum.

7.5. Sub-processor obligations. Spectrum will impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, and Spectrum will remain liable for the acts and omissions of its Sub-processors to the same extent as if performed by Spectrum.

8.1. Spectrum will, taking into account the nature of the processing, assist the Customer through appropriate technical and organizational measures, insofar as possible, to fulfill the Customer’s obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including rights of access, rectification, deletion, restriction, portability, and objection).

8.2. If Spectrum receives a request from a Data Subject directly, Spectrum will, without undue delay, advise the Data Subject to submit the request to the Customer and will not respond to the request itself except on the documented instructions of the Customer or as required by applicable law.

9.1. Spectrum will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

9.2. Spectrum’s notification will include, to the extent then known: (a) the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and (d) the name and contact details of a Spectrum point of contact.

9.3. Spectrum will provide the Customer with reasonable cooperation and assistance in connection with any notification or investigation required of the Customer under Data Protection Laws.

Spectrum will provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Data Protection Laws, in each case solely in relation to the processing of Customer Personal Data by Spectrum and taking into account the nature of the processing and the information available to Spectrum.

11.1. Spectrum’s primary processing infrastructure is located in the United States. The Customer authorizes Spectrum and its Sub-processors to transfer Customer Personal Data to other jurisdictions for the purpose of providing the Services.

11.2. EEA, UK and Swiss data. To the extent that Spectrum processes Customer Personal Data subject to the GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection in a country that has not been recognized as providing an adequate level of protection, the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated into this DPA by reference, with the Customer as the data exporter and Spectrum as the data importer. The UK International Data Transfer Addendum applies where transfers are subject to the UK GDPR.

11.3. Where Spectrum engages a Sub-processor to process Customer Personal Data subject to such laws, Spectrum will enter into back-to-back transfer mechanisms (including, where applicable, the Standard Contractual Clauses Module Three: Processor to Processor) with the Sub-processor.

12.1. Spectrum will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.

12.2. Spectrum will satisfy its audit obligations under this Section 12 by providing the Customer with copies of relevant third-party certifications, audit reports (such as SOC 2 Type II or ISO 27001 reports, if and when available), and responses to reasonable security questionnaires.

12.3. If the Customer requires additional information or an on-site audit beyond what is provided under Section 12.2, the Customer may, on at least 30 days’ written notice and no more than once per calendar year (except where required by a competent supervisory authority or following a Personal Data Breach), conduct an audit at its own expense, during normal business hours, in a manner that does not unreasonably interfere with Spectrum’s operations and subject to confidentiality obligations.

13.1. On termination or expiration of the Agreement, or earlier on the Customer’s written request, Spectrum will, at the Customer’s choice, return or delete all Customer Personal Data in its possession or control within 30 days, and delete existing copies, unless applicable law requires storage of the Customer Personal Data.

13.2. Spectrum may retain Customer Personal Data in archival or back-up systems until the regular deletion of such systems in the ordinary course of business, provided that any such retained data remains subject to the security and confidentiality obligations of this DPA and is not actively processed.

Each party’s liability arising out of or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Any reference to the liability of a party in the Agreement means the aggregate liability of that party under the Agreement and this DPA together.

15.1. In the event of a conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA controls. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control.

15.2. This DPA takes effect on the date the Customer accepts the Agreement and remains in effect for as long as Spectrum processes Customer Personal Data on behalf of the Customer.

Subject matter: Provision of the Spectrum platform to the Customer, including AI-powered personalization, experimentation, analytics, and storefront optimization features.

Duration: For the term of the Agreement and the period set out in Section 13.

Nature and purpose of processing: Collection, storage, organization, structuring, retrieval, use, transmission, and erasure of Customer Personal Data to deliver the Services and to generate Output as defined in the Agreement.

Categories of Data Subjects:

• The Customer’s end-users (shoppers) who browse or transact on the Customer’s Shopify storefront.

• The Customer’s authorized users who access the Spectrum platform (e.g. merchant admins).

Categories of Personal Data:

• Identifiers and contact data: customer name, email address, phone number, billing/shipping address, customer ID.

• Commercial information: order history, cart contents, products viewed, purchase events.

• Internet and similar network activity: device identifiers, IP address, user-agent, page views, clicks, session events, time stamps.

• Geolocation: approximate location derived from IP address (city/region level).

• Inferences: segments and tags derived from the above to enable personalization and analytics.

Special categories of data: None. The Customer must not submit special category personal data (as defined in GDPR Art. 9) or sensitive personal information (as defined in CCPA § 1798.140(ae)) to the Services.

Frequency of transfer: Continuous, while the Services are in use.

Retention: As described in Section 13 of this DPA and the Spectrum Privacy Policy.

Competent supervisory authority (for SCCs): As determined under Clause 13 of the SCCs based on the Customer’s establishment.

Spectrum implements the following measures to ensure a level of security appropriate to the risk:

Encryption. Personal data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). Database backups are encrypted.

Environment separation. Production and non-production (development, test, staging) environments are strictly separated. Real shopper personal data is not used in non-production environments.

Access control. Access to production systems requires single sign-on with mandatory multi-factor authentication and a strong password policy. Access to Customer Personal Data is granted on a least-privilege basis to personnel with a documented business need.

Logging and monitoring. Spectrum is implementing centralized access logging for protected customer data, retained for security audit and incident investigation. These logging programs will be in place prior to general availability of Spectrum on the Shopify App Store.

Data loss prevention. Spectrum is implementing a data loss prevention program combining technical controls (endpoint protection, secret scanning, egress monitoring), policies, and personnel training.

Incident response. Spectrum is finalizing a documented and tested security incident response plan covering detection, containment, eradication, recovery, and notification. Personal Data Breaches are notified to the Customer in accordance with Section 9.

Vulnerability management. Spectrum performs dependency scanning and reviews access to production systems on a regular basis.

Personnel. Spectrum personnel with access to Customer Personal Data are bound by confidentiality obligations and receive data protection training.

Sub-processor diligence. Spectrum performs due diligence on Sub-processors before engagement and binds them to data protection obligations no less protective than this DPA.

Business continuity. Spectrum maintains backup and recovery procedures designed to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident.

The following Sub-processors are engaged by Spectrum to process Customer Personal Data as of the effective date of this DPA. The current list is also available on request at support@tectonic.so.

• Cloud hosting and edge compute — Vercel Inc. (United States); Cloudflare, Inc. (United States).

• Database and storage — Supabase Inc. (United States); Cloudflare R2 (United States).

• Background jobs and orchestration — Trigger.dev Ltd. (United Kingdom).

• Observability and analytics — Langfuse GmbH (Germany).

• AI/LLM providers — OpenAI, L.L.C. (United States); Anthropic, PBC (United States).

• Email delivery — transactional and lifecycle email provider (current vendor disclosed on request).

Spectrum will notify the Customer of any intended addition or replacement of a Sub-processor in accordance with Section 7.3.