Data Processing Agreement
Version 1.0 • Effective date: May 23, 2026 • Last updated: June 25, 2026
This Data Processing Agreement ("DPA") is incorporated into and forms part of the SkuFx Terms of Service between 辽阳普维商贸有限公司 (Liaoyang Puwei Trading Co., Ltd.)("Processor" , "SkuFx") and you ("Controller"). It applies where the Controller is subject to data protection law that requires a data processing agreement (e.g., the EU General Data Protection Regulation (GDPR), the UK GDPR, or equivalent legislation).
Enterprise customers requiring a signed DPA should contact privacy@skufx.com to request a countersigned copy.
1. Definitions
- Controller: you, the SkuFx customer who determines the purposes and means of processing personal data.
- Processor: 辽阳普维商贸有限公司 (Liaoyang Puwei Trading Co., Ltd.)(SkuFx), acting on the Controller's instructions.
- Personal Data: any information relating to an identified or identifiable natural person, as defined by applicable law.
- Processing: any operation performed on personal data (collection, storage, retrieval, use, disclosure, deletion).
- Sub-processor: a third party engaged by the Processor to assist in processing personal data.
- Services: the SkuFx SaaS platform as described in the Terms of Service.
2. Scope and Purpose
The Processor processes personal data solely to provide the Services to the Controller, as described in the Terms of Service and Privacy Policy. Processing is limited to the categories of data and data subjects listed in Schedule A of this DPA.
3. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller (which includes these Terms and the features you enable).
- Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures as described in our Privacy Policy (Section 4) and Security page.
- Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability) without undue delay.
- Delete or return personal data upon termination of the Services, unless storage is required by law.
- Make available to the Controller information necessary to demonstrate compliance with this DPA.
4. Sub-processors
The Controller authorizes the Processor to engage sub-processors. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor by updating this page and emailing active users. If the Controller objects, it may terminate the affected Services per the Terms of Service.
Current sub-processors:
| Sub-processor | Service | Data Processed | Location |
|---|---|---|---|
| Vercel, Inc. | Marketing website hosting (Next.js) | Public marketing traffic; web request logs | Global (USA primary) |
| RackNerd LLC | Application backend & database hosting | All seller SP-API data; account data | United States |
| Alibaba Cloud (Aliyun) | DNS management | DNS query metadata only (no seller data) | China |
| GitHub, Inc. | Source code repository | Application source code (no seller data) | United States |
| Sentry (Functional Software, Inc.) | Error tracking | Application error logs (no PII) | United States |
| Tencent Cloud (Exmail) | Business email | Support & operational emails (sellers' own non-PII summaries) | China |
5. Data Subject Rights
The Processor shall, to the extent technically feasible, assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15–22 GDPR. Requests should be submitted to privacy@skufx.com. We will acknowledge within 72 hours and respond fully within 30 days.
6. Security Incident Notification
The Processor shall notify the Controller without undue delay and in any event within 24 hoursof becoming aware of a personal data breach affecting the Controller's data. Notification will be sent to the Controller's registered email address and will include: (a) a description of the incident; (b) categories and approximate number of individuals and records affected; (c) likely consequences; (d) measures taken or proposed.
Security incidents should also be reported to security@skufx.com.
7. Audits and Inspections
The Processor shall make available information necessary to demonstrate compliance with this DPA and cooperate with reasonable audit requests. Audits shall be conducted with at least 30 days' written notice, at the Controller's cost, and shall not unreasonably disrupt the Processor's operations.
8. International Data Transfers
Where the Controller is established in the EEA or UK and personal data is transferred to the Processor or sub-processors outside the EEA/UK, such transfers are made pursuant to Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914). A copy of the applicable SCCs is available on request from privacy@skufx.com.
9. Term and Termination
This DPA remains in force for the duration of the Controller's subscription to the Services. It terminates automatically upon termination or expiry of the Terms of Service.
10. Return or Deletion of Data
Upon termination of the Services, the Processor shall, at the Controller's election: (a) return a copy of the Controller's personal data in a machine-readable format; or (b) securely delete all personal data. Deletion will be completed within 30 days of termination. The Processor may retain data where required by applicable law, in which case it will notify the Controller.
Schedule A — Details of Processing
Categories of Data Subjects
- The Controller's Amazon buyer customers (order and shipping data only, if the Orders role is granted).
- The Controller's registered users on SkuFx (account data).
Categories of Personal Data
- Account data: name, email address, company name, IP address.
- SP-API data: as described in the SkuFx Privacy Policy, Section 2.2, limited to the roles authorized by the Controller.
Purpose and Legal Basis of Processing
- Purpose: provision of the SkuFx SaaS platform features.
- Legal basis (GDPR): Article 6(1)(b) — processing necessary for the performance of a contract.
Retention Period
As set out in the SkuFx Privacy Policy, Section 6.