Version 2026-05-25 · Draft for counsel review
Data Processing Agreement Exhibit
Between: Supplier (as defined below) and [COMPANY_LEGAL_NAME] ("Catieno")
Effective date: [EFFECTIVE_DATE]
Version: 2026-05-25
This Data Processing Agreement ("DPA") forms part of the agreement between the supplier customer ("Supplier," "Controller," "you") and Catieno ("Processor," "we") governing Catieno's processing of Supplier Personal Data in connection with the Catieno procurement integration service (the "Service").
This DPA supplements the Supplier Privacy Policy. Capitalized terms not defined here have the meanings in the Privacy Policy or the main services agreement between the parties (the "Agreement") when executed.
1. Definitions
"Applicable Data Protection Law" means GDPR, UK GDPR, Swiss FADP, and US state privacy laws applicable to the processing.
"Supplier Personal Data" means any personal data contained in Supplier Content that Catieno processes on Supplier's behalf.
"Supplier Content" means data Supplier or its users submit to or generate through the Service, including catalog files, product records, buyer relationship configuration, connection credentials (encrypted at rest), PunchOut session and cart data, integration API logs, implementor workspace code, and AI chat content—but excluding data for which Catieno is an independent controller under the Privacy Policy (e.g., Supplier portal account metadata managed solely for Catieno's account administration).
"Sub-processor" means a third party engaged by Catieno to process Supplier Personal Data.
"Standard Contractual Clauses" or "SCCs" means the European Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor), as amended or replaced.
2. Subject matter and duration
Subject matter: Processing necessary to provide hosted catalog, live pricing, PunchOut, catalog import/mapping, integration logging, usage metering, optional AI-assisted configuration, and related support.
Duration: From Supplier's acceptance of this DPA until deletion of Supplier Personal Data in accordance with Section 10, plus any post-termination retention permitted under Section 11 of the Privacy Policy or Applicable Data Protection Law.
3. Nature and purpose of processing
| Element | Description |
|---|---|
| Nature | Collection, storage, organization, transformation, transmission, retrieval, restriction, erasure |
| Purpose | Operate procurement integrations between Supplier and its enterprise buyers; provide portal, APIs, logging, metering, and optional AI tools |
| Processing operations | Ingest catalog data; map fields to CIF; generate and host catalog files; process PunchOut and pricing requests; store truncated API logs; execute Supplier-authored integration overrides in isolated workspace |
4. Categories of data subjects
- Supplier employees, contractors, and agents (portal users);
- Buyer organization procurement users and agents, to the extent identifiable in protocol messages, session tokens, or logs;
- Contacts identified in buyer organization names or configuration.
5. Types of personal data
- Identifiers (names, email addresses, user IDs, session tokens, buyer cookies);
- Professional contact information;
- Procurement transaction metadata (cart lines, SKUs, quantities, prices);
- Technical logs (HTTP headers, truncated request/response bodies);
- Free-text support or AI chat messages Supplier users submit.
Special category data is not intended to be processed. Supplier shall not submit special category data except where strictly necessary and lawful, with prior written notice to Catieno.
6. Controller obligations
Supplier shall:
1. Instructions: Provide lawful documented instructions via the Service, Agreement, this DPA, and the Privacy Policy.
2. Lawful basis: Ensure a valid legal basis exists for all Supplier Personal Data processed through the Service, including buyer-side data.
3. Notices: Provide required privacy notices to data subjects (including buyer procurement users).
4. Rights requests: Promptly forward data subject requests relating to Supplier Personal Data to [PRIVACY_EMAIL] within 10 business days, and cooperate with Catieno's response.
5. Security: Maintain appropriate security on systems that connect to Catieno; protect credentials.
6. Prohibited data: Not upload malware, unlawful content, or unnecessary sensitive data.
7. Representations: Represent that processing instructions do not cause Catieno to violate Applicable Data Protection Law.
7. Processor obligations (Catieno)
Catieno shall:
7.1 Documented instructions
Process Supplier Personal Data only on documented instructions from Supplier, unless required by law—in which case Catieno will inform Supplier unless prohibited.
7.2 Confidentiality
Ensure personnel authorized to process Supplier Personal Data are bound by confidentiality obligations.
7.3 Security
Implement measures described in Annex II and the Privacy Policy Section 10.
7.4 Sub-processors
- Supplier provides general written authorization for Catieno to engage Sub-processors listed in Annex III and updates at [SUBPROCESSOR_LIST_URL].
- Catieno will notify Supplier of intended additions or replacements 30 days in advance via email to the account administrator or [LEGAL_EMAIL].
- Supplier may object on reasonable grounds relating to data protection within 30 days of notice. If parties cannot resolve the objection, Supplier may terminate the affected Service upon written notice.
Catieno remains liable for Sub-processor performance as required by Applicable Data Protection Law.
7.5 Data subject rights
Assist Supplier by appropriate technical and organizational measures, insofar as possible, in fulfilling data subject rights requests, considering the nature of processing and information available to Catieno.
7.6 Assistance
Provide reasonable assistance with:
- Data protection impact assessments (where required); and
- Consultations with supervisory authorities relating to Supplier's use of the Service,
provided Supplier reimburses Catieno's reasonable costs for assistance beyond standard Service support.
7.7 Personal data breach
Notify Supplier without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting Supplier Personal Data, with information required under Article 33 GDPR to the extent known. Catieno will cooperate with Supplier's breach notifications.
7.8 Deletion and return
Upon termination or Supplier's written request, delete or return Supplier Personal Data within 90 days, except where retention is required by law or permitted under the Privacy Policy retention schedule (e.g., backup cycles, legal hold).
7.9 Records and audits
Make available information necessary to demonstrate compliance and allow audits as set forth in Section 9.
8. International transfers
8.1 US-only processing
Where Supplier Personal Data relates only to data subjects in the United States and no EEA/UK/Swiss transfer safeguards are required, the SCCs in Section 8.2 apply only if and when such data is later subject to those requirements.
8.2 EEA/UK/Swiss transfers
Where Supplier Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the SCCs by reference, with the following selections:
| Clause / module | Selection |
|---|---|
| Module | Module 2 — Controller to Processor |
| Clause 7 (Docking) | Not used |
| Clause 9 | Option 2 — general authorization with 30-day notice |
| Clause 11 | Optional redress — not used unless specified in Annex I |
| Clause 17 | Law of Ireland (EEA) / law of England and Wales (UK transfers via UK Addendum) |
| Clause 18 | Courts of Ireland / England and Wales |
| Annex I | This DPA Sections 3–5 and Annex I below |
| Annex II | Annex II below |
| Annex III | Annex III below |
For UK transfers, the UK International Data Transfer Addendum to the SCCs (version B1.0 or successor) applies, with the UK Information Commissioner as supervisory authority.
For Swiss transfers, the SCCs apply with Swiss Federal Data Protection and Information Commissioner (FDPIC) adaptations as required.
The EU-US Data Privacy Framework or UK extension, if Catieno certifies and the transfer qualifies, may be used in lieu of or in addition to SCCs where valid.
9. Audits
1. Catieno will make available a summary of third-party security assessments (e.g., SOC 2 Type II report or ISO 27001 certificate) under NDA upon request, no more than once per 12 months.
2. Supplier may conduct an on-site or remote audit once per 12 months with 30 days' notice, during business hours, subject to confidentiality and minimization of disruption.
3. Audits beyond standard reports are at Supplier's expense unless required by a supervisory authority finding of material non-compliance attributable to Catieno.
10. Liability
Liability arising from this DPA is subject to the limitation of liability in the Agreement between the parties. If no Agreement exists, each party's aggregate liability arising from this DPA is capped at fees paid by Supplier to Catieno in the 12 months preceding the claim, except for breaches of confidentiality or misappropriation of secrets.
11. Order of precedence
In case of conflict: (1) SCCs (for regulated transfers); (2) this DPA; (3) the Agreement; (4) the Privacy Policy (for security and retention summaries only).
12. Execution
This DPA is accepted when Supplier checks the acceptance box at portal signup or executes a written order form referencing version 2026-05-25.
Supplier: ________________________________
Name / title: ________________________________
Date: ________________________________
Catieno: [COMPANY_LEGAL_NAME]
Contact: [LEGAL_EMAIL]
Annex I — Processing details
| Field | Details |
|---|---|
| Controller | Supplier (customer legal entity on account) |
| Processor | [COMPANY_LEGAL_NAME] |
| Contact | [LEGAL_EMAIL] / [PRIVACY_EMAIL] |
| Activities | Sections 3–5 of this DPA |
| Duration | Subscription term + wind-down per Section 2 |
| Sensitive data | Not intended |
| Frequency | Continuous during Service use |
| Retention | Per Privacy Policy Section 11 |
Annex II — Technical and organizational measures
Catieno maintains measures including, as applicable:
Access control
- Unique accounts for portal users; password hashing;
- Role-based access (admin vs member);
- Tenant isolation in application logic and database queries;
- Restricted production access for Catieno staff with logging.
Transmission and storage security
- TLS for data in transit;
- Application-level encryption for connection credentials and shared secrets (
FIELD_ENCRYPTION_KEY); - Encrypted object storage (SSE-S3) for catalog artifacts;
- API responses strip encrypted secret fields after save.
Operations
- Segregated environments (e.g., UAT vs production VPCs);
- Integration API logs truncated to configurable max body size (default 32 KB);
- Sampling for high-volume log endpoints;
- Automated log pruning (
prune_integration_logs) per retention setting (default 90 days); - Usage metering stores counts only, not request bodies.
Availability and resilience
- Hosted on AWS with redundant infrastructure components per environment design;
- Backups for database and object storage per operational runbooks.
Incident management
- Security incident response procedures;
- Breach notification per Section 7.7.
Subprocessor management
- Written agreements requiring comparable protections;
- Inventory maintained at [SUBPROCESSOR_LIST_URL].
Personnel
- Background checks where permitted by law for roles with production access;
- Security and privacy training.
Supplier is responsible for securing its own systems, buyer credentials, and storefront integrations outside Catieno's control.
Annex III — Authorized sub-processors
| Sub-processor | Service | Location | Data processed |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting (EC2, RDS PostgreSQL, S3, ElastiCache, EFS) | United States (primary region per deployment) | All Supplier Content at rest and in processing |
| OpenRouter / underlying model providers | LLM API routing for mapping and assistant features | United States / varies | Headers, mapping context, chat messages submitted by Supplier users |
| Email infrastructure provider | Transactional email (invites, alerts) | As configured | Email addresses, message content |
Current details: [SUBPROCESSOR_LIST_URL]
Catieno will update Annex III via the subprocessor list and notice process in Section 7.4.
*This document is a draft for counsel review. It does not constitute legal advice. Standard Contractual Clauses must be appended in full as executed by counsel.*