Effective Date: February 18, 2026
This Data Processing Agreement ("DPA") is entered into between Social4Commerce Inc., doing business as Sell & Tell ("Company" or "Processor") and the entity identified as the subscriber to the Services under the Master Subscription Agreement ("Customer" or "Controller"). This DPA supplements and forms part of the Master Subscription Agreement (the "Agreement") between the Company and Customer.
This DPA governs the processing of Customer Personal Data by the Company on behalf of Customer in connection with the provision of the Services, and reflects the parties' commitment to complying with applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable state, federal, and international data protection and privacy laws.
"Customer Personal Data" means any personal data or personal information (as defined under applicable Data Protection Laws) that is provided by or on behalf of Customer or collected through the Services, including Shopper Interaction Data, and that the Company processes on behalf of Customer as a processor or service provider.
"Data Protection Laws" means all applicable laws, rules, and regulations relating to the processing, privacy, and protection of personal data, including the GDPR, the UK GDPR, the CCPA/CPRA, and other applicable state and international privacy laws.
"Data Subject" means an identified or identifiable natural person whose personal data is processed, including Shoppers and representatives of Customer.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as may be amended, replaced, or superseded from time to time.
"Sub-processor" means any third party engaged by the Company to process Customer Personal Data on behalf of Customer.
This DPA applies to the Company's processing of Customer Personal Data in connection with the provision of the Services, which includes: (a) hosting and operating the SELL AI agent Widget on Customer's ecommerce store; (b) capturing and processing Shopper Interaction Data through micro-interactions, conversations, polls, reactions, and taps; (c) generating Insight Data through the TELL AI agent's analysis of Shopper Interaction Data; (d) presenting analytics and recommendations through the Platform dashboard; and (e) providing customer support and technical assistance.
For the purposes of Data Protection Laws: (a) Customer is the controller (or "business" under the CCPA) with respect to Customer Personal Data, and the Company is the processor (or "service provider" under the CCPA) acting on behalf of Customer; (b) each party is an independent controller with respect to the personal data of its own employees, contractors, and business contacts; and (c) the Company is an independent controller with respect to Usage Data and Aggregate Data as described in the Agreement.
The Company will process Customer Personal Data only on documented instructions from Customer, unless required to do so by applicable law. The instructions for processing are set forth in this DPA and the Agreement. Customer instructs the Company to process Customer Personal Data for the purposes of providing the Services, including the operation of the SELL and TELL AI agents.
The Company will ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) pseudonymization and encryption of Customer Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems; (c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.
Customer provides general authorization for the Company to engage Sub-processors for the processing of Customer Personal Data. The Company will: (a) maintain a current list of Sub-processors, which will be made available to Customer upon request or published at sellandtell.ai/legal/subprocessors; (b) provide Customer with at least thirty (30) days' prior written notice before engaging a new Sub-processor or replacing an existing one; (c) impose data protection obligations on each Sub-processor by way of a written contract that provides at least the same level of protection as this DPA; and (d) remain liable for the acts and omissions of its Sub-processors.
If Customer objects to a new Sub-processor on reasonable data protection grounds, Customer will notify the Company in writing within fifteen (15) days of receiving notice. The parties will discuss the objection in good faith. If no resolution is reached within thirty (30) days, Customer may terminate the Agreement with respect to the affected Services and receive a pro-rata refund of any pre-paid fees.
The Company will assist Customer, by appropriate technical and organizational measures, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). If the Company receives a request directly from a Data Subject, the Company will promptly forward the request to Customer unless prohibited by law.
The Company will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the contact details of the Company's privacy or security officer; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
The Company will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under applicable Data Protection Laws and to the extent Customer does not otherwise have access to the relevant information.
Upon termination or expiration of the Agreement, and subject to Customer's request, the Company will: (a) return all Customer Personal Data to Customer in a commonly used, machine-readable format; or (b) securely delete all Customer Personal Data, except to the extent that retention is required by applicable law. The Company will complete such return or deletion within forty-five (45) days of termination or the Customer's request, whichever is later. Notwithstanding the foregoing, the Company may retain Aggregate Data and Usage Data that does not identify any individual.
Customer represents and warrants that: (a) Customer's instructions for the processing of Customer Personal Data comply with applicable Data Protection Laws; (b) Customer has obtained all necessary consents, authorizations, and legal bases for the collection and processing of Customer Personal Data through the Services, including adequate disclosure to and consent from Shoppers; (c) Customer has provided any required privacy notices to Data Subjects; and (d) Customer will not submit to the Services any special categories of personal data (sensitive data) or protected health information, unless expressly agreed in writing.
To the extent that Customer Personal Data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, the parties agree that such transfers will be governed by the Standard Contractual Clauses. The SCCs are hereby incorporated by reference. For transfers from the EEA, the SCCs adopted by the European Commission Decision 2021/914 will apply, with Customer as the data exporter and the Company as the data importer. For transfers from the UK, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office will apply.
The Company will make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by Customer or an independent third-party auditor mandated by Customer. Such audits will be: (a) conducted no more than once per twelve-month period, unless required by a supervisory authority or following a Personal Data Breach; (b) subject to reasonable advance notice of at least thirty (30) days; (c) conducted during normal business hours; (d) limited in scope to the processing of Customer Personal Data; and (e) subject to reasonable confidentiality obligations. Customer will bear the costs of any audit, except where the audit reveals a material breach by the Company.
To the extent the CCPA applies to the processing of Customer Personal Data, the Company certifies that it: (a) will not sell or share Customer Personal Data; (b) will not retain, use, or disclose Customer Personal Data for any purpose other than as specified in the Agreement, including for any commercial purpose other than providing the Services; (c) will not combine Customer Personal Data with personal information it receives from other sources, except as expressly permitted by the CCPA; and (d) will comply with applicable CCPA obligations and grant Customer the same level of privacy protection as required by the CCPA.
The Company may use Customer Personal Data to improve its internal AI models (SELL and TELL agents) only to the extent such use is: (a) consistent with Customer's documented instructions; (b) limited to creating de-identified, anonymized, or aggregated training data that cannot be used to re-identify any individual Data Subject; and (c) compliant with applicable Data Protection Laws. Customer Personal Data will not be used to train third-party AI models.
The SELL and TELL AI agents do not make decisions that produce legal effects or similarly significant effects on individual Data Subjects. The Services generate recommendations and insights for Customer's review and decision-making. Customer acknowledges that no automated decisions affecting individual Shoppers' legal rights are made solely by the AI agents.
Each party's liability arising out of or related to this DPA will be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party's liability with respect to any breach of Data Protection Laws to the extent such limitation is prohibited by law.
This DPA will remain in effect for the duration of the Agreement and will automatically terminate upon the termination or expiration of the Agreement, except that the Company's obligations with respect to the return or deletion of Customer Personal Data and any obligations that by their nature should survive will continue beyond termination.
For questions regarding this DPA, please contact: Email: privacy@sellandtell.ai Attn: Data Protection Officer Social4Commerce Inc.
© 2026 Social4Commerce Inc. All rights reserved.
If you have any questions about this document, please contact us at team@sellandtell.ai