Theia North
Legal

Data Processing Agreement

Last updated: December 27, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Theia North, Inc. ("Theia North," "Processor," "we," or "us") and the customer agreeing to these terms ("Customer," "Controller," or "you") for the use of our Services.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Theia North on behalf of Customer in connection with the Services.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Theia North to process Personal Data on behalf of Customer.
  • "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

2. Scope and Roles

2.1 Customer as Controller

Customer is the Controller of Personal Data and determines the purposes and means of Processing. Customer is responsible for ensuring that it has a lawful basis for Processing Personal Data and for providing any required notices to Data Subjects.

2.2 Theia North as Processor

Theia North acts as a Processor on behalf of Customer. We process Personal Data only in accordance with Customer's documented instructions and the terms of this DPA.

3. Processing Details

3.1 Subject Matter

The Processing is performed to provide the Services as described in our Terms of Service, including inventory management, commerce synchronization, and related business operations tools.

3.2 Duration

Processing will continue for the duration of the agreement between Customer and Theia North, plus any retention period required by law or as specified in this DPA.

3.3 Categories of Data Subjects

Data Subjects may include Customer's employees, contractors, end customers, suppliers, and other individuals whose data is submitted to the Services.

3.4 Types of Personal Data

Personal Data processed may include: names, email addresses, phone numbers, shipping addresses, transaction history, and other information submitted by Customer to the Services.

4. Theia North Obligations

4.1 Processing Instructions

We will process Personal Data only in accordance with Customer's documented instructions, unless required by applicable law. If we believe an instruction violates applicable data protection law, we will promptly notify Customer.

4.2 Confidentiality

We ensure that persons authorized to process Personal Data are bound by confidentiality obligations. Access to Personal Data is limited to personnel who require access to perform the Services.

4.3 Security Measures

We implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in our Security page. These measures include:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and testing
  • Incident detection and response procedures
  • Employee security training

4.4 Data Subject Rights

We will assist Customer in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including rights of access, rectification, erasure, and data portability. We will promptly notify Customer of any requests received directly from Data Subjects.

4.5 Security Incidents

We will notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Security Incident affecting Personal Data. Notification will include available information about the nature of the incident, categories of data affected, and measures taken or proposed to address the incident.

5. Sub-processors

5.1 Authorization

Customer authorizes us to engage Sub-processors to process Personal Data. We maintain a list of current Sub-processors, which we will provide upon request.

5.2 Sub-processor Obligations

We ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA. We remain liable for the acts and omissions of our Sub-processors.

5.3 Changes to Sub-processors

We will provide Customer with at least 30 days' notice before engaging a new Sub-processor. Customer may object to a new Sub-processor by notifying us within 14 days. If we cannot accommodate the objection, Customer may terminate the affected Services.

6. International Transfers

If Personal Data is transferred outside the country of origin, we ensure appropriate safeguards are in place, which may include:

  • Standard Contractual Clauses approved by relevant authorities
  • Transfers to countries with adequate data protection laws
  • Other lawful transfer mechanisms as applicable

7. Data Retention and Deletion

7.1 During the Agreement

We retain Personal Data for the duration necessary to provide the Services and as required by applicable law.

7.2 Upon Termination

Upon termination of the agreement, we will:

  • Provide Customer the ability to export their data for 30 days following termination
  • Delete Personal Data within 90 days of termination, except as required by law
  • Upon request, certify in writing that deletion has been completed

8. Customer Obligations

Customer represents and warrants that:

  • It has obtained all necessary consents and authorizations to provide Personal Data to Theia North
  • Its instructions comply with applicable data protection laws
  • It has provided appropriate privacy notices to Data Subjects
  • It will promptly notify Theia North of any changes affecting data processing requirements

9. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

10. General

  • This DPA is governed by the same law governing the Terms of Service.
  • In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.
  • This DPA is effective upon Customer's acceptance of the Terms of Service.

11. Contact

For questions about this DPA or data processing matters:

Theia North, Inc.

Email: