Data Processing Addendum

Last updated: April 17, 2026 · Version 1.0

Scope: This Addendum is incorporated into our Terms of Service and applies automatically whenever you (a Sellium customer, the "Controller") use the Service to process personal data of your end users, employees, or customers. It supplements the Terms with contractual terms required by data-protection laws, including GDPR Article 28 and the CCPA/CPRA service-provider provisions. This is a template — you should have your own legal counsel review it before relying on it for enterprise contracts.

1. Definitions

Unless defined here, capitalized terms have the meaning given to them in the Terms of Service or applicable law.

"Applicable Data Protection Law" means any law applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), Brazil's LGPD, Canada's PIPEDA and Law 25 (Quebec), and any other applicable privacy laws.
"Controller" means you, the Sellium customer. Under CCPA/CPRA, you are the "Business."
"Processor" means Sellium. Under CCPA/CPRA, Sellium is a "Service Provider."
"Personal Data" means any information that relates to an identified or identifiable natural person that is processed by Sellium on your behalf.
"Data Subject" means the individual to whom Personal Data relates. Under CCPA/CPRA, the "Consumer."
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Sub-processor" means any third-party processor engaged by Sellium to process Personal Data.
"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Roles and Scope of Processing

2.1 Roles

For the Personal Data that you (as Controller) submit to the Service or that Sellium processes on your behalf, Sellium acts as a Processor (GDPR) and Service Provider (CCPA/CPRA). Each party shall comply with its respective obligations under Applicable Data Protection Law.

2.2 Details of processing

Item	Description
Subject matter	Provision of the Sellium platform, including e-commerce, CRM, advertising, social inbox, AI creative generation, and billing features.
Duration	The term of your Sellium subscription, plus the retention period in Section 9.
Nature and purpose	Hosting, storing, transmitting, analyzing, and displaying Personal Data necessary to provide the Service; enabling you to manage customers, orders, marketing, and communications.
Types of Personal Data	Identification data (names, emails), contact data (addresses, phones), transactional data (order history, payment status), marketing data (engagement, preferences), device/online identifiers (IP addresses, cookie IDs), content data (comments, messages, ad creatives).
Categories of Data Subjects	Your end customers, prospects, employees, team members, and other individuals whose data you choose to store in the Service.

3. Sellium's Obligations as Processor / Service Provider

Sellium will:

Process Personal Data only on your documented instructions, including with regard to transfers to a third country, unless required to do so by law (in which case Sellium will notify you unless that law prohibits such notification).
Ensure that persons authorized to process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
Implement the technical and organizational measures described in Section 6 (Security).
Under CCPA/CPRA: not sell or share Personal Data; not retain, use, or disclose Personal Data for any purpose other than providing the Service or as permitted by the CCPA; not combine Personal Data received from you with Personal Data from other sources except as necessary to provide the Service; and comply with applicable CCPA obligations.
Assist you in fulfilling your obligations to respond to Data Subject requests under Applicable Data Protection Law (see Section 7).
Notify you of Personal Data Breaches without undue delay, and no later than 72 hours after becoming aware of the breach, in accordance with Section 8.
At your choice, delete or return all Personal Data at the end of the provision of the Service, as described in Section 9.
Make available to you all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by you or another auditor mandated by you, subject to the conditions in Section 10.

4. Sub-processors

4.1 Authorization

You provide general authorization for Sellium to engage Sub-processors to process Personal Data on your behalf. The current list of Sub-processors is maintained in the Sub-processors section of our Privacy Policy, which is incorporated into this DPA by reference.

4.2 Changes to Sub-processors

Sellium will update the Sub-processor list when it adds or replaces a Sub-processor. If you subscribe to notifications at privacy@sellium.app, Sellium will notify you at least 14 days in advance of any such change. You may object in writing within that period; if a reasonable objection cannot be resolved, you may terminate the affected Services.

4.3 Sub-processor obligations

Sellium will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and will remain liable to you for any breach caused by its Sub-processors.

5. International Data Transfers

Sellium is based in the United States. When Sellium transfers Personal Data out of the European Economic Area, the United Kingdom, or Switzerland to a country that does not ensure an adequate level of protection:

For transfers from the EEA, the parties rely on the EU Standard Contractual Clauses (2021/914) Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as applicable. The SCCs are hereby incorporated into this DPA by reference.
For transfers from the UK, the parties rely on the UK International Data Transfer Addendum to the EU SCCs, also incorporated by reference.
For transfers from Switzerland, the EU SCCs apply with references to the GDPR being read as references to the Swiss Federal Act on Data Protection.

6. Security Measures

Sellium implements and maintains technical and organizational measures appropriate to the risk, including:

Encryption in transit — TLS 1.2+ for all Service endpoints.
Encryption at rest — database encryption (via our infrastructure providers: Supabase / AWS / Google Cloud / Vercel).
Password hashing — scrypt (N=16384, r=8, p=1) with per-user random salt; no plaintext storage.
Access controls — tenant isolation (every record scoped by tenant_id); role-based access within tenants; principle of least privilege for employee access.
CAPTCHA + rate limiting — Cloudflare Turnstile on public auth endpoints; per-IP and per-account rate limits.
Optional IP allowlist — per-tenant self-service admin IP restriction.
Logging and monitoring — authentication, API, and webhook logs retained for security investigation.
Backups — automated daily backups by our infrastructure providers.
Vulnerability management — dependency scanning; security contact security@sellium.app and security.txt.

Security measures are subject to change; Sellium may update them provided that the updated measures do not materially decrease the overall level of security.

7. Data Subject Requests

Under GDPR, UK GDPR, CCPA/CPRA, and other Applicable Data Protection Law, Data Subjects have rights including access, correction, deletion, portability, restriction, objection, and (under CCPA/CPRA) the right to know, delete, correct, limit use of sensitive PI, and opt out of sale or sharing.

As the Controller, you are primarily responsible for responding to Data Subject requests. Sellium will assist you by:

Providing Service features that allow you to access, export, correct, and delete Personal Data within your tenant.
Where technically required, providing additional reasonable assistance on written request to privacy@sellium.app.

If Sellium receives a Data Subject request directed at your tenant, it will forward the request to you without undue delay and will not respond to the Data Subject directly unless required by law.

8. Personal Data Breach Notification

Sellium will notify you of a Personal Data Breach without undue delay, and in any event within 72 hours after becoming aware of it, by email to the address on file for your account (and to any additional breach-notification email you provide at privacy@sellium.app). The notification will describe, to the extent known at the time:

The nature of the breach and categories / approximate numbers of Data Subjects and records concerned.
The likely consequences.
The measures taken or proposed to address the breach and mitigate its effects.
A point of contact for further information.

Sellium will supplement the initial notification with additional information as it becomes available.

9. Return or Deletion of Personal Data

On termination or expiration of the Service, and at your choice, Sellium will:

Return all Personal Data in a commonly-used, machine-readable format (CSV or JSON export), or
Delete all Personal Data, including by instructing Sub-processors to do the same.

Default behavior: Personal Data is retained in a suspended state for 90 days following subscription cancellation to allow for account reactivation; after this period, Personal Data is automatically deleted except where Sellium is required to retain it by law (e.g., billing records, tax obligations).

10. Audit Rights

Sellium will make available to you all information reasonably necessary to demonstrate compliance with this DPA. You may audit Sellium's compliance once in any 12-month period on reasonable prior written notice of not less than 30 days, during normal business hours and without materially disrupting operations. You are responsible for your own audit costs.

Sellium may fulfill audit obligations by providing:

Self-assessments, summaries, or certifications (e.g., SOC 2 Type II once obtained).
Reports of third-party audits of its Sub-processors.
Responses to reasonable written questionnaires.

11. CCPA/CPRA-Specific Terms

With respect to Personal Data regulated by the CCPA/CPRA:

Sellium is a "Service Provider" as defined in Cal. Civ. Code § 1798.140(ag).
Sellium will not "sell" or "share" Personal Data as those terms are defined in the CCPA/CPRA.
Sellium will not retain, use, or disclose Personal Data outside the direct business relationship with you or for any purpose other than the "Business Purposes" set out in this DPA and the Terms.
Sellium will not combine Personal Data received from you with Personal Data from another source, except as necessary to provide the Service.
You have the right to take reasonable and appropriate steps to help ensure that Sellium uses Personal Data in a manner consistent with your obligations under CCPA/CPRA, including through this DPA.
On reasonable notice, Sellium will notify you if it determines it can no longer meet its Service Provider obligations.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law.

13. Order of Precedence

If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to its subject matter. If there is a conflict between this DPA and the SCCs incorporated by reference in Section 5, the SCCs control.

14. Changes to this DPA

Sellium may update this DPA from time to time to reflect changes in law or Service features. Material changes will be announced on this page and, where feasible, by email to account administrators. Your continued use of the Service after the effective date of a change constitutes acceptance of the updated DPA.

15. Contact & Signed Copies

For privacy questions, Data Subject requests, or to request a counter-signed copy of this DPA for your records, contact:

Data Protection Contact
Email: privacy@sellium.app
For security incidents: security@sellium.app

Enterprise customers who require a countersigned PDF of this DPA should email privacy@sellium.app with the subject "DPA Request" and your legal entity name.