Data Processing Agreement

Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Peaklyst, a product of tupevo S.àr.l.-S ("Processor"), and the customer using the Peaklyst service ("Controller"). It governs the processing of personal data by Peaklyst on behalf of the Controller and is designed to comply with Article 28 of Regulation (EU) 2016/679 (the "GDPR").

This DPA takes effect automatically when a Controller signs up for a Peaklyst subscription and remains in force for the duration of the service. Customers requiring a counter-signed copy on their own paper may request one by contacting [email protected].

1. Subject Matter and Duration

The Processor provides an AI-powered Amazon listing optimization platform. In the course of providing the service, the Processor processes personal data on behalf of the Controller as described in Annex 1. This DPA applies for the entire duration of the service and ends automatically when the Controller's subscription is terminated, subject to the post-termination obligations in Section 11.

2. Nature and Purpose of Processing

The purpose of the processing is to enable the Controller to use the Peaklyst service: generating AI-powered listing content, running keyword research and tracking on the Controller's own listings, calculating listing quality scores, and running write-on-approval autopilot optimization cycles. Personal data is processed solely to deliver these contractual services.

3. Types of Personal Data and Categories of Data Subjects

Types of personal data:

• Account data: name, email address, billing details of the Controller's employees or authorized users
• Authentication data: password hashes, session tokens, 2FA secrets
• Usage data: IP addresses, device and browser identifiers, access logs

Peaklyst does not process Amazon buyer Personally Identifiable Information (PII). The Amazon marketplace data processed through the Selling Partner API (listing attributes, category requirements, and listing performance summaries) is commercial business data belonging to the Controller and does not identify individual buyers.

Categories of data subjects: the Controller's employees, contractors, and authorized users of the Peaklyst platform.

4. Obligations of the Processor

The Processor will:

• Process personal data only on documented instructions from the Controller, including for transfers to a third country, unless required to do so by Union or Member State law applicable to the Processor;
• Ensure that persons authorized to process personal data are subject to confidentiality obligations or a statutory duty of confidentiality;
• Implement appropriate technical and organizational measures (described in Annex 2) to ensure a level of security appropriate to the risk;
• Assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR;
• Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security of processing, breach notification, data protection impact assessments, prior consultation);
• At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage;
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

5. Obligations of the Controller

The Controller warrants that it has a lawful basis under Article 6 GDPR for the processing instructed to the Processor, that it has provided the required information to data subjects under Articles 13 and 14 GDPR, and that it will comply with its own obligations under applicable data protection law.

6. Sub-processors

The Controller hereby grants general authorization to the Processor to engage sub-processors for the provision of the service. A current list of sub-processors is maintained at our Privacy Policy and includes the categories listed in Annex 3.

The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes. If the Controller reasonably objects, the parties will negotiate in good faith; if no agreement is reached, the Controller may terminate the service on a pro-rata refund basis.

The Processor will impose on each sub-processor, by way of contract, the same data protection obligations as set out in this DPA. Where the sub-processor fails to fulfill its data protection obligations, the Processor remains fully liable to the Controller.

7. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place in accordance with Chapter V GDPR. For transfers to countries without an adequacy decision, the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Commission Implementing Decision (EU) 2021/914) are incorporated by reference with the Processor as "data importer" and the Controller as "data exporter," Module Two (controller to processor).

8. Security of Processing

The Processor has implemented and will maintain the technical and organizational measures described in Annex 2, including encryption at rest and in transit, tenant-level data isolation, least-privilege access controls, continuous vulnerability scanning, and an incident response process. See the Security page for a full description.

9. Personal Data Breaches

The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting personal data processed on behalf of the Controller. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

Where the breach involves Amazon marketplace data, the Processor will additionally notify Amazon within 24 hours of discovery, as required by Amazon's Data Protection Policy.

10. Data Subject Requests

The Processor will, to the extent legally permissible, promptly notify the Controller of any request it receives directly from a data subject for access, rectification, deletion, restriction, portability, or objection concerning the Controller's data. The Processor will not respond to such requests itself, except to confirm receipt and direct the data subject to the Controller.

The Processor provides tooling in the Peaklyst platform that allows the Controller to export, rectify, and delete personal data directly, in order to fulfill data subject requests under GDPR Articles 15-22.

11. Return and Deletion of Data

Upon termination of the service, the Controller may, within 30 days, export all personal data processed under this DPA through the Peaklyst platform's export functionality. After the 30-day grace period, the Processor will delete all personal data and Amazon marketplace data within a further 90 days, including all copies in backups, unless retention is required by Union or Member State law.

On written request, the Processor will provide the Controller with written confirmation that deletion has been completed.

12. Audits

The Processor makes available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR. Upon reasonable written request (no more than once per twelve-month period, unless a personal data breach has occurred), the Processor will provide the Controller with the most recent third-party security audit reports, penetration test summaries, and responses to a reasonable security questionnaire.

An on-site audit by the Controller or its mandated auditor is permitted for cause, subject to reasonable notice (at least 30 days), confidentiality obligations, and performance during normal business hours without unreasonable disruption to the Processor's operations.

13. Liability

The liability of each party under this DPA is governed by the limitation of liability provisions in the Terms of Service. Nothing in this DPA limits or excludes either party's liability for damages caused to a data subject for a violation of the GDPR for which that party is held liable under Article 82 GDPR.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of the Grand Duchy of Luxembourg. The competent courts of Luxembourg City have exclusive jurisdiction over any dispute arising from this DPA, without prejudice to the mandatory competence of the courts of the data subject's habitual residence under Article 79 GDPR.

15. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, the provisions of this DPA prevail with respect to the processing of personal data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

Annex 1 — Processing Details

Subject matter: Provision of the Peaklyst AI Amazon listing optimization platform.
Duration: For the term of the Controller's subscription, plus the post-termination obligations in Section 11.
Nature and purpose: Storage, analysis, and AI-based processing of Amazon marketplace data and account data to deliver optimization services.
Types of personal data: Account, authentication, and usage data as listed in Section 3.
Categories of data subjects: Employees and authorized users of the Controller.

Annex 2 — Technical and Organizational Measures

• Access control: Role-based access, 2FA, named administrative accounts, access logging, quarterly access reviews.
• Encryption: TLS 1.3 in transit, AES-256 at rest, encrypted backups in a separate region.
• Tenant isolation: PostgreSQL row-level security, per-seller Amazon data segregation.
• Network security: Private cluster networks, Cloudflare Tunnels with DDoS and WAF, Cilium default-deny NetworkPolicies.
• Container security: Non-root, read-only root filesystem, distroless base images, continuous Trivy scanning.
• Secrets management: OpenBao vault with External Secrets Operator, automatic rotation, append-only access logs.
• Monitoring: Centralized structured logs, metrics, traces; on-call alerting via Slack and PagerDuty.
• Incident response: Four-stage process (triage, containment, eradication, review) with written post-mortems.
• Business continuity: Regular backup restore drills; high-availability multi-node database and application clusters.
• Personnel: Confidentiality obligations for all employees; security awareness training on hire and annually thereafter.

Annex 3 — Sub-processors

Peaklyst relies on the following categories of sub-processors:

• Cloud hosting and infrastructure providers (EU/US)
• Payment processor (Stripe, EU/US)
• Transactional email provider (Resend, EU/US)
• Error monitoring (self-hosted Glitchtip, EU)
• Analytics (self-hosted Umami, EU — cookieless and pseudonymous)
• AI model providers for listing content suggestions (Anthropic — US with SCCs; Inceptron, Scaleway — EU). Each provider's DPA prohibits training on Amazon Information.

The canonical list of current sub-processors is maintained in the Privacy Policy — Sub-processors section.

Contact

For questions about this DPA, to request a counter-signed copy, or to exercise any rights under it, contact us at:

• Legal: [email protected]
• Data protection: [email protected]
• General inquiries: Contact page