Data Processing Addendum

Last updated: 28 May 2026

This Data Processing Addendum (the “DPA”) forms part of the agreement between the Customer and WIARA DAAS Ltd. for the provision of the Persevocommerce-infrastructure service (the “Agreement”). It governs the processing of personal data by Persevoon behalf of the Customer and reflects the requirements of Article 28 of Regulation (EU) 2016/679 (the “GDPR”).

1. Parties

This DPA is between:

The Customer, acting as the controller of the personal data submitted to the Service; and
WIARA DAAS Ltd., EIK 205417373, VAT BG205417373, with registered office at 5A Dunav Blvd, Plovdiv 4003, Bulgaria (“Persevo”, the “Processor”).

Where the Customer is itself a processor acting on behalf of a third party, references to the Customer’s instructions include instructions received from the underlying controller.

2. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. In particular:

Personal Data: Personal data within the meaning of the GDPR that is processed by Persevo on behalf of the Customer in the course of providing the Service.
Data Subject: The identified or identifiable natural person to whom Personal Data relates, including end-shoppers of the Customer.
Subprocessor: Any third party engaged by Persevo to process Personal Data on behalf of the Customer.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
SCCs: The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914, as amended.

3. Subject matter, duration, nature and purpose

The subject matterof the processing is the operation of the Service for the Customer’s benefit.

The duration of the processing is the term of the Agreement, plus any post-termination period during which Persevo retains Personal Data as permitted under Section 11 of this DPA.

The nature and purposeof the processing is to host the Customer’s checkout, process and route payments through a regulated payments partner, store and serve shopper inputs to the Customer’s catalogue, persist order and fulfilment state, send transactional email, expose the data through the Customer’s dashboard and APIs, and meet related legal obligations.

The types of Personal Data and categories of Data Subjects are described in Annex 1.

4. Roles and instructions

The Customer is the controller and Persevo is the processor in respect of Personal Data processed under the Agreement. Persevo will process Personal Data only on documented instructions from the Customer, including with regard to transfers, unless required to do otherwise by EU or Member State law. If Persevo is so required, it will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Customer’s instructions are reflected in the Agreement, this DPA, the Documentation and the operational features the Customer configures within the Service. The Customer warrants that it has all necessary legal bases, notices and consents to lawfully submit Personal Data to the Service.

5. Confidentiality of personnel

Persevo ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory), are trained on data protection, and have access strictly on a need-to-know basis.

6. Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, Persevo implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include:

Encryption of Personal Data in transit (TLS) and at rest for primary data stores;
Strict access controls, with multi-factor authentication for administrator access, least-privilege roles, and audit logging of privileged actions;
Network segregation, hardened production environments and managed secrets;
Regular backups with documented restoration procedures;
Vulnerability management, dependency scanning, and a coordinated disclosure channel at security@persevo.app;
Documented incident-response procedures;
Business-continuity and disaster-recovery testing;
A security programme aligned with ISO/IEC 27001.

Card data is not transmitted to or stored by Persevo. Card processing is performed by our PCI-DSS-compliant payments partner.

7. Subprocessors

7.1 General authorisation

The Customer grants Persevo general authorisation to engage Subprocessors to provide elements of the Service, subject to the conditions in this Section 7.

7.2 Conditions

Persevo will:

enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA, to the extent applicable to the nature of the Subprocessor’s service;
remain liable to the Customer for the acts and omissions of its Subprocessors;
maintain a list of current Subprocessor categories, set out in Annex 2;
notify the Customer of any intended addition or replacement of a Subprocessor category at least 14 days in advance, by email to the Customer’s notice contact or by in-product notice.

7.3 Right to object

Within 14 days of such notice, the Customer may object on reasonable data-protection grounds by sending a written objection to privacy@persevo.app. The parties will work in good faith to resolve the objection. If no resolution is reached, the Customer may terminate the affected portion of the Service with reasonable notice, without penalty other than payment of Fees accrued to the date of termination.

8. International transfers

Persevo processes Personal Data within the European Union or the European Economic Area by default. Where a transfer of Personal Data to a third country is necessary, Persevo will rely on a lawful transfer mechanism, in particular the SCCs (Module 2: controller to processor, or Module 3: processor to processor, as applicable), supplemented where appropriate by additional safeguards such as encryption, access controls and transfer impact assessments. By entering into this DPA, the parties are deemed to have entered into the SCCs to the extent required, completed in line with Annex 3.

9. Assistance with Data Subject rights

Taking into account the nature of the processing, Persevo will provide reasonable assistance to the Customer, by appropriate technical and organisational measures, to enable the Customer to respond to requests from Data Subjects to exercise their rights under the GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). Where Persevo receives a request from a Data Subject directly, it will not respond to the request itself other than to confirm receipt and will promptly forward it to the Customer.

10. Assistance with other obligations

Persevowill assist the Customer in ensuring compliance with the Customer’s obligations under Articles 32 to 36 of the GDPR (security, breach notification, data-protection impact assessment, prior consultation), taking into account the nature of the processing and the information available to Persevo.

11. Personal Data Breach notification

Persevo will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notice will include, to the extent reasonably available at the time:

the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
the likely consequences of the Personal Data Breach;
the measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects; and
a contact point for further information.

Persevo will cooperate with the Customer and provide such further information as is reasonably required to allow the Customer to meet its own notification obligations.

12. Audits

On reasonable prior written notice (and in any event no more than once in any twelve-month period), Persevo will make available to the Customer information necessary to demonstrate compliance with this DPA, including by responding to a reasonable security questionnaire and providing relevant third-party certifications, audit summaries (such as ISO/IEC 27001 statements of applicability) and penetration-testing summaries.

Where this information is insufficient and an on-site audit is reasonably required to verify compliance with Article 28 GDPR, the parties will agree on the scope, timing and conduct of the audit so as to minimise disruption to Persevo and other customers, and will conduct it during normal business hours under appropriate confidentiality obligations. Each party bears its own costs of an audit, unless the audit reveals a material breach by Persevo, in which case Persevo will bear the reasonable third-party audit costs.

13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under applicable law.

14. Termination and return or deletion

On termination or expiry of the Agreement, Persevowill, at the Customer’s choice and instruction:

make Personal Data available to the Customer for export in a structured, commonly used format for a period of up to 30 days; and then
delete or anonymise Personal Data, except to the extent that continued retention is required by EU or Member State law (in which case Persevo will document the basis and protect the data with measures consistent with this DPA).

Persevo will provide written confirmation of deletion on request. Standard back-up media will be overwritten in line with our retention schedule.

15. Order of precedence

In the event of any inconsistency between this DPA and the rest of the Agreement, this DPA prevails in respect of data-protection matters. Where this DPA conflicts with the SCCs that are deemed to apply, the SCCs prevail.

Annex 1 — Details of processing

Data subjects

End-shoppers of the Customer.
Administrators, employees and contractors of the Customer.
Counterparties whose personal data the Customer chooses to record in the Service (for example, recipients of personalised gifts).

Categories of Personal Data

Identity and contact: name, email address, phone number, postal addresses.
Order data: products purchased, prices, quantities, discounts, order status, fulfilment events.
Payment metadata: last four digits of the card, brand, country, expiry, authorisation status, refund status. The full card number (PAN), CVC and full magnetic-stripe data are never processed or stored by Persevo; they are handled directly by our PCI-DSS-compliant payments partner.
Personalisation inputs:text, photos, files or structured fields that shoppers submit through the data vault to personalise the Customer’s products.
Communications: transactional email content sent to shoppers, support messages, account-related notifications.
Technical and security: IP addresses, timestamps, user agents, device fingerprints used for fraud-prevention.
Account data:credentials (hashed), session identifiers, role assignments for the Customer’s users.

Special categories

The Service is not designed to process special-category data within the meaning of Article 9 GDPR or criminal-conviction data under Article 10 GDPR. The Customer must not submit such data unless it has agreed an appropriate scope of processing with Persevo in writing.

Purpose of processing

Facilitating online commerce on behalf of the Customer: rendering checkout, routing payments, storing orders and personalisation inputs, sending transactional notifications, exposing data through APIs and dashboards, and supporting related operational, security and legal obligations.

Duration of processing

For the term of the Agreement, plus the limited post-termination period set out in Section 14. Specific retention windows for each data category are documented in the Service or available on request.

Annex 2 — Subprocessor categories

The following categories of Subprocessor support the Service. All Subprocessors in scope are EU- or EEA-based, or process Personal Data exclusively in the EU/EEA. An up-to-date list, with the specific entities and the regions in which they process Personal Data, is available on request to privacy@persevo.app.

Category	Function	Region
Cloud hosting	Compute, storage, networking and managed databases for the Service.	EU
Frontend and edge hosting	Static asset delivery and edge functions for the marketing site and storefront-adjacent pages.	EU
Payments partner	Card and digital-wallet processing, PCI-DSS scope, fraud-risk scoring.	EU
Transactional email delivery	Outbound transactional notifications to shoppers and account holders.	EU
Logging, monitoring and observability	Operational telemetry, error tracking and uptime monitoring.	EU
Customer-support tooling	Ticket management and in-product messaging with customer administrators.	EU
Regional courier integrations	Label printing, tracking and delivery-event integration for physical fulfilment.	EU

Annex 3 — Standard Contractual Clauses

Where the SCCs apply pursuant to Section 8, the parties are deemed to have entered into the SCCs as follows:

Module: Module 2 (controller to processor) or Module 3 (processor to processor), as applicable.
Docking clause (Clause 7): applies.
General authorisation for sub-processors (Clause 9): option (b); the notice period is 14 days.
Redress (Clause 11): optional clause does not apply.
Governing law (Clause 17): the law of Bulgaria.
Forum (Clause 18): the courts of Bulgaria.
Annex I.A: the parties identified in Section 1 of this DPA.
Annex I.B: the description of processing in Annex 1.
Annex I.C: the competent supervisory authority is the Bulgarian Commission for Personal Data Protection (КЗЛД).
Annex II: the security measures described in Section 6.
Annex III: the Subprocessor categories in Annex 2.

Signature

This DPA is entered into by the Customer’s acceptance of the Agreement and takes effect from the start date of the Service. The DPA may be counter-signed on request: email privacy@persevo.app from your registered billing contact to receive a counter-signed copy.