Data Processing Addendum

This Data Processing Addendum applies when Laris processes personal data on behalf of a merchant as a processor, service provider, or similar role under applicable privacy laws. It forms part of the Terms or other written agreement between Laris and the merchant.

The merchant is the controller or business for merchant customer data, and Laris is the processor or service provider. Laris will process personal data only to provide, secure, support, improve, and maintain the service; as documented in the agreement; as instructed by the merchant; or as required by law.

Processed data may include merchant account data, store data, product data, customer contact details, messages, orders, support requests, conversation metadata, AI prompts, AI outputs, usage logs, and related commerce data. The merchant must not submit special category, highly sensitive, payment card, children’s, health, government ID, biometric, or regulated data unless expressly authorized in writing.

Laris will maintain reasonable administrative, technical, and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. Measures may include access controls, encryption in transit, vendor review, logging, least-privilege access, backups, and incident response procedures.

The merchant authorizes Laris to use subprocessors for hosting, storage, AI infrastructure, analytics, security, support, email, billing, and integrations. Laris will impose written obligations on subprocessors that are designed to protect personal data at a level materially consistent with this DPA. Laris remains responsible for subprocessors as required by applicable law and agreement.

Taking into account the nature of processing, Laris will provide reasonable assistance to the merchant for data subject requests, deletion, access, correction, portability, restriction, objections, privacy impact assessments, and consultations with regulators, to the extent required by law and reasonably available through the service.

Laris will notify the merchant without undue delay after confirming a personal data breach affecting merchant customer data, as required by applicable law. Notice may include available information about the nature of the incident, affected data, mitigation steps, and recommended actions.

Where cross-border transfer rules apply, the parties will use appropriate transfer mechanisms, which may include standard contractual clauses, recognized adequacy decisions, or other lawful transfer safeguards. If standard contractual clauses apply, they are incorporated by reference to the extent required by law.

Upon termination or written request, Laris will delete or return merchant customer data as required by the agreement and applicable law, subject to backups, legal obligations, security logs, dispute records, and archival copies that are retained under restricted access and deleted according to retention schedules.

Laris will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and protection of other customers. Audits must be reasonable, non-disruptive, limited to relevant systems, and may be satisfied through documentation, questionnaires, or third-party reports where available.

If this DPA conflicts with the Terms, this DPA controls only for processor obligations relating to personal data. All other Terms remain in effect.