• Controller / BusinessCustomer is the data controller (GDPR) and business (CCPA/CPRA) for Customer Personal Data.
• Processor / Service ProviderRealify processes Customer Personal Data solely on Customer's documented instructions to provide the Services.
• "Customer Personal Data"The subset of Customer Data (as defined in the Terms of Service) that constitutes personal information under applicable law.
• PurposeProviding unified commerce analytics, AI-driven recommendations, and multi-channel automation through the Services.
• DurationProcessing continues for the Services term and up to 30 days thereafter.

Realify processes Customer Personal Data only: (a) per Customer's documented instructions (Terms of Service, Order Form); (b) as necessary to provide the Services; (c) as required by applicable law (with notice to Customer to the extent permitted). Customer is responsible for ensuring instructions are lawful and that Customer has a valid legal basis for processing.

Realify certifies that it:

• (a) Processes personal information only for the Services described in the Terms of Service and this DPA
• (b) Does not sell or share Customer Personal Data for cross-context behavioral advertising
• (c) Does not use Customer Personal Data outside the direct business relationship with Customer
• (d) Understands and complies with CCPA/CPRA service provider restrictions
• (e) Will notify Customer if it can no longer meet these obligations and will cooperate with remediation

Realify will assist Customer in fulfilling consumer rights requests (know, delete, correct, opt-out) for Customer Personal Data stored in the Services.

For future processing of EEA, UK, or Swiss personal data on Customer's behalf, Realify will:

• (a) Process only on Customer's documented instructions (GDPR Art. 28)
• (b) Ensure all personnel are bound by confidentiality
• (c) Implement the measures in Section 5
• (d) Assist Customer with data subject rights and DPIAs at Customer's reasonable cost
• (e) Delete or return all personal data at end of service relationship

International Transfers

• EU-US Data Privacy Framework (DPF)Where Realify is self-certified (verify at https://www.dataprivacyframework.gov), the parties rely on Realify's DPF certification as the primary transfer mechanism.
• Standard Contractual ClausesFor transfers not covered by the DPF, the EU SCCs (Commission Decision 2021/914, Module 2), UK International Data Transfer Addendum, and Swiss adaptations, executed on request.
• Supplementary MeasuresEncryption, access controls, audit logging, and documented government access request procedures.

Contact legal@realify.ai to execute SCCs or verify DPF certification.

Realify implements the technical and organizational measures set out in Privacy Policy Section 7, incorporated here by reference. These measures encryption, access controls, password policy, audit logging, DLP, network security, vulnerability management, secure coding, incident response, and backup/DR apply to all Customer Personal Data. Enterprise customers may request the penetration test executive summary under NDA.

With respect to cross-border access by personnel of Realify technical affiliate, Realify AI India Private Limited, the mandatory controls governing that access including VDI requirements, DLP enforcement, PII masking, and immutable audit logging are set out in Privacy Policy Section 5.1 (Security) and are incorporated into this DPA in full.

Customer authorizes Realify to engage the sub-processors listed in Privacy Policy Section 6 and at realify.ai/legal/subprocessors. All sub-processors are bound by DPAs no less protective than this DPA. Realify provides 30 days' advance notice of new sub-processors; Customer may object in writing. Unresolved objections within 30 days allow Customer to terminate affected Services without penalty.

Pre-Onboarding

Documented security assessment covering security program maturity, compliance certifications (SOC 2, ISO 27001, or equivalent), data residency, breach notification commitments, and — for Amazon Information — all Amazon DPP-specific obligations (DPP §4.7).

Annual Reviews

Documented annual risk assessment of every sub-processor with access to Customer Personal Data, reviewing security changes, prior-year incidents, DPA compliance, and continued necessity. Results available to Customer under NDA and to Amazon for sub-processors with access to Amazon Information.

Remediation

Material non-compliance triggers a remediation timeline; access may be suspended or the relationship terminated, with notice to affected Customers.

Realify provides reasonable assistance to help Customer respond to data subject rights requests under GDPR, CCPA/CPRA, and applicable state privacy laws, forwarding direct requests from individuals to Customer within 5 business days. All Realify personnel with access to Customer Personal Data are bound by confidentiality obligations by contract or professional duty. Realify conducts background checks on such employees to the extent permitted by applicable law.

• Amazon SP-API InformationRealify notifies Amazon at security@amazon.com within 24 hours of detection, before any public disclosure (Amazon DPP §1.6). Affected sellers notified simultaneously.
• Amazon Advertising API dataRealify notifies affected Customers within 24 hours of detection and cooperates with Amazon's advertising compliance review process. All Amazon Advertising data incidents are treated with the same urgency as Amazon SP-API incidents.
• Google Ads API dataRealify notifies affected Customers within 24 hours of detection and cooperates with Google's compliance review process as required under Google Ads API Terms of Service.
• Meta Marketing API dataRealify notifies affected Customers within 24 hours of detection and cooperates with Meta's data-incident review process under Meta's Developer Policies.
• Shopify API dataRealify notifies the affected Merchant and Shopify within 72 hours of confirmed discovery, consistent with Shopify's Partner Program Agreement breach notification requirements.
• All Customer Personal DataRealify notifies Customer within 72 hours of confirmed discovery. For Amazon SP-API, Amazon Advertising, Google, and Meta incidents, notification is simultaneous with platform notification (within 24 hours).
• Notification contentEach notice states: nature and scope; categories and approximate records affected; likely consequences; measures taken or proposed; Realify's incident response contact.
• CooperationRealify cooperates with investigations, preserves forensic evidence, and maintains incident records available to Customer and relevant platforms on request.

On 30 days' prior written notice, Realify makes available information necessary to demonstrate DPA compliance, including certifications, audit reports, and third-party assessments. Realify supports audits by Customer or a designated auditor subject to reasonable confidentiality protections and agreed scope. Audit costs are borne by Customer.

On termination, Realify deletes or returns Customer Personal Data within 30 days at Customer's election. For Amazon Information, deletion follows Privacy Policy Section 5.1 (live systems: 7 business days; backups: 30 days; certificate: 35 days; NIST SP 800-88 Rev. 1). Non-Amazon backup copies purged within 90 days. Written confirmation on request.

This DPA prevails over the Terms of Service in the event of any conflict regarding Customer Personal Data processing.