Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Agreement between Customer and Shreesoftic / SellerSaarthi for customers who process personal data through the Service. It is mandatory for enterprise customers and a recommended reference for all others.

1. Parties, subject matter, duration

The parties are Customer (Data Fiduciary / Controller) and SellerSaarthi (Data Processor). Subject matter: processing Amazon-derived data and Customer end-user data to operate the ad optimisation service. Duration: for the term of the Agreement.

2. Nature and purpose of processing

Automated optimisation of Amazon advertising campaigns on Customer's behalf — including reading campaign data, analysing performance, and writing back approved changes — plus transactional communication, billing, and support.

3. Types of personal data and categories of data subjects

Personal data: contact data for Customer's authorised users; billing and GST details; payment metadata. Data subjects: Customer's employees and contractors who access the Service. Amazon Data is Customer's commercial data and not personal data about SellerSaarthi end-users.

4. Processor obligations

SellerSaarthi will: (a) process personal data only on documented instructions from Customer; (b) maintain confidentiality; (c) implement the security measures described on the Security page; (d) assist Customer with data subject rights requests; (e) delete or return personal data on termination per the Retention Schedule.

5. Sub-processors

A current sub-processor list is maintained in the Privacy Policy. Customer has the right to object to a new sub-processor within 30 days of notice.

6. International transfers

Primary storage in India (AWS ap-south-1). Any transfer is accompanied by adequate safeguards (SCCs or equivalent) when required.

7. Data subject rights

SellerSaarthi provides the technical means for Customer to handle access, correction, and deletion requests within DPDP timelines.

8. Personal data breach notification

SellerSaarthi will notify Customer of any personal data breach without undue delay and in any event within 48 hours of confirmation.

9. Audit rights

Customer may audit SellerSaarthi's compliance with this DPA once per year on reasonable notice, subject to confidentiality. In lieu of an on-site audit, SellerSaarthi may provide current SOC 2-lite or equivalent attestations.

10. Deletion / return of data

On termination, SellerSaarthi deletes personal data per the Retention Schedule unless Customer requests export first. Backups are deleted on the next cycle after primary deletion.

11. Governing law and jurisdiction

This DPA is governed by Indian law and is subject to the dispute resolution clause of the main Agreement (arbitration in Surat, Gujarat).

12. Order of precedence

In the event of conflict between this DPA and the main Terms, the DPA controls with respect to processing of personal data.

13. Contact

privacy@sellersaarthi.com.

Effective date: 26 April 2026.