Catalora

Legal

Data Processing Addendum

Last updated: May 12, 2026

This Data Processing Addendum ("DPA") supplements the agreement between the customer ("Controller") and JG INTL TRADE LLC (dba Catalora) ("Processor") for use of the Services. It applies where Processor processes Personal Data on behalf of Controller subject to the EU GDPR, UK GDPR, or similar laws.

1. Definitions

Capitalized terms have the meanings given in applicable Data Protection Law. "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller.

2. Scope and roles

Controller determines the purposes and means of processing. Processor processes Personal Data only on documented instructions from Controller, including transfers, unless required by law.

3. Subject matter and duration

Processing concerns the provision of the Services for the term of the underlying agreement.

4. Nature, purpose, and categories

  • Nature/purpose: hosting, syncing, and analyzing Amazon Selling Partner data; account and catalog management.
  • Data subjects: Controller's personnel, end customers reflected in order data.
  • Categories: contact data, account identifiers, transactional and catalog data, technical/usage data.

5. Processor obligations

  • Process Personal Data only on Controller's instructions.
  • Ensure persons authorized to process are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Section 8).
  • Assist Controller with data-subject requests and Articles 32–36 obligations.
  • Notify Controller without undue delay of Personal Data Breaches.

6. Sub-processors

Controller authorizes Processor to engage sub-processors (cloud hosting, payment processing, error monitoring, transactional email) bound by data-protection terms substantially similar to this DPA. A current list is available on request.

7. International transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK Addendum, as applicable.

8. Security measures

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+).
  • Role-based access controls, MFA for staff, and least-privilege principles.
  • Audit logging of access to Personal Data.
  • Regular vulnerability scanning and patch management.
  • Documented incident-response and business-continuity procedures.

9. Audits

Processor will make available information necessary to demonstrate compliance and allow audits, including inspections, by Controller or an auditor mandated by Controller, on reasonable prior notice.

10. Deletion and return

Upon termination, Processor will delete or return Personal Data within 30 days, except where retention is required by law.

11. Liability

Liability under this DPA is governed by the limitations in the underlying agreement.

12. Contact

JG INTL TRADE LLC (dba Catalora)
Attn: Jason G — Privacy
4539 N 22 St Ste R, Phoenix, AZ 85016, USA
jasean.mgmt@gmail.com