Data Processing Agreement

1. Purpose

This Data Processing Agreement ("DPA") is entered into between you ("Controller") and EWEPIP, operated by Salmagundi Services LLC ("Processor"). It governs how we process personal data on your behalf when you use EWEPIP marketplace, POS, social suite, and business tools.

This DPA applies when you, as a seller, employer, service provider, or business operator, use EWEPIP tools that involve processing personal data of your customers, employees, or contacts. It supplements and is incorporated into our Terms of Service and Privacy Policy.

2. Definitions

• Controller — You, the user or seller who determines the purposes and means of processing personal data through EWEPIP tools.
• Processor — EWEPIP (Salmagundi Services LLC), which processes personal data on your behalf according to your instructions.
• Sub-processor — Any third party engaged by EWEPIP to assist in processing personal data. See our Subprocessor List.
• Personal Data — Any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
• Processing — Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction, as defined by GDPR Article 4(2).
• Data Breach — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

3. Scope of Processing

Data Subjects

The personal data processed under this DPA may relate to the following categories of data subjects:

• Your customers (marketplace buyers, POS patrons, service clients)
• Your employees and staff (POS employee management, scheduling)
• Your contacts (CRM, invoicing, communication lists)
• Your community members (PipHerd, PipChirp followers)

Types of Personal Data

• Names and contact information (email addresses, phone numbers)
• Transaction records (order history, payment amounts, items purchased)
• Shipping and billing addresses
• Employee scheduling and payroll data (POS system)
• Customer loyalty and rewards data
• Communication records (messages, support tickets)

Purpose of Processing

• Order fulfillment and delivery coordination
• Customer communication (order updates, receipts, support)
• Business analytics and reporting (sales, trends, inventory)
• AI assistance via Talk to EWE (business advice, content generation)
• Employee management and scheduling (POS system)
• Loyalty program administration

Duration

Processing continues for as long as your EWEPIP account is active. Upon account termination, all personal data processed on your behalf will be deleted or returned within 30 days, unless retention is required by law.

4. Our Obligations as Processor

EWEPIP, as the data processor, commits to the following:

• Documented instructions only — We process personal data only on your documented instructions, including with regard to transfers of personal data to a third country. If we are required by law to process data beyond your instructions, we will inform you before processing (unless the law prohibits such notification).
• Confidentiality — All persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures — We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. See Section 7 for details.
• Sub-processor management — We do not engage another processor without your prior specific or general written authorization. See Section 6.
• Data subject rights assistance — We assist you in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection. We will forward any requests we receive directly from data subjects to you within 48 hours.
• Breach notification — We notify you of any personal data breach within 72 hours of becoming aware of it. See Section 8.
• Deletion or return — Upon termination, we delete or return all personal data to you and delete existing copies, unless storage is required by applicable law.
• Audit support — We make available all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by you or an auditor mandated by you.

5. Your Obligations as Controller

As the data controller, you are responsible for:

• Lawful basis — Ensuring you have a lawful basis for processing personal data (consent, contract, legitimate interest, etc.) under GDPR Articles 6 and 9.
• Clear instructions — Providing clear, documented instructions for how we should handle personal data. Your use of our tools and configuration choices constitute documented instructions.
• Compliance — Ensuring your use of EWEPIP tools complies with all applicable data protection laws, including GDPR, CCPA, and any local regulations.
• Data accuracy — Ensuring that personal data provided to us for processing is accurate and up to date.
• Privacy notices — Informing your data subjects about the processing of their personal data, including the use of EWEPIP as a processor.

6. Sub-processors

A current list of our sub-processors is available at /subprocessors.html.

We will notify you at least 30 days before adding any new sub-processor. You may object to a new sub-processor by contacting us at [email protected] within 14 days of notification. If we cannot reasonably accommodate your objection, you may terminate the affected services.

We impose data protection obligations on each sub-processor that are no less protective than those in this DPA. We remain fully liable for the performance of our sub-processors.

7. Security Measures

We implement and maintain the following technical and organizational security measures:

• Encryption in transit — All data transmitted between your browser and our servers uses TLS 1.3 via Cloudflare.
• Encryption at rest — Database storage uses encrypted volumes on our self-hosted infrastructure.
• Access controls — Role-based access control (RBAC) limits data access to authorized personnel only. Database credentials are managed through environment variables, not hardcoded.
• Audit logging — All data access and modifications are logged for accountability.
• Security assessments — Regular security reviews via our CONRADai compliance engine, including XSS protection, SQL injection prevention, and CSRF mitigation.
• Self-hosted infrastructure — The majority of our infrastructure (databases, AI, caching, file storage) runs on our own physical servers in the United States. Your data does not traverse third-party cloud platforms for most operations.
• Network security — WireGuard VPN mesh between servers, nftables firewall, fail2ban intrusion prevention.

8. Data Breach Response

In the event of a personal data breach, we will:

• Notify you within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
• Provide a description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
• Describe the likely consequences of the breach.
• Describe the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects.
• Provide a contact point for further information.
• Cooperate with you in investigating and remediating the breach.

9. International Transfers

EWEPIP is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the transfer of personal data to our servers constitutes an international transfer.

For such transfers, we rely on the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission. By accepting this DPA, you are deemed to have executed the SCCs as the data exporter, with EWEPIP as the data importer.

We implement supplementary measures (encryption, access controls, self-hosted infrastructure) to ensure personal data receives an adequate level of protection.

10. Liability

Each party is liable for damages caused by processing that infringes the GDPR. A processor is liable for damages caused by processing only where it has not complied with obligations specifically directed to processors, or where it has acted outside of or contrary to the controller's lawful instructions.

Liability under this DPA is subject to the limitations set forth in our Terms of Service, except where such limitations are prohibited by applicable law.

11. Term and Termination

This DPA is effective upon your acceptance (by using EWEPIP services that involve processing personal data on your behalf) and remains in effect for as long as we process personal data on your behalf.

This DPA terminates automatically when your service agreement with EWEPIP ends. Obligations related to data deletion or return survive termination for 30 days. Confidentiality obligations survive indefinitely.

12. Contact

For questions about this DPA, data processing activities, or to exercise your rights:

• DPA inquiries: [email protected]
• Privacy matters: [email protected]
• General: [email protected]

EWEPIP is operated by Salmagundi Services LLC.