Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller," "Merchant") and MD SOFTWARE L.L.C-FZ / Fluxera LLC ("Processor," "SellStein," "we") for the processing of personal data in connection with the SellStein platform.

The following definitions apply to this DPA:

• "Controller" means the Merchant who determines the purposes and means of processing personal data through the SellStein platform.
• "Processor" means SellStein (MD SOFTWARE L.L.C-FZ / Fluxera LLC), which processes personal data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed (e.g., the Merchant's customers, end-users, or website visitors).
• "Personal Data" means any information relating to a Data Subject, including names, email addresses, IP addresses, payment information, order history, and device identifiers.

The parties' roles are determined by applicable data protection law, including the General Data Protection Regulation (GDPR), the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, and other applicable legislation.

Controller (Merchant):

You determine the purposes and means of processing your customers' personal data. You are responsible for ensuring a lawful basis for processing, providing privacy notices to your customers, and responding to data subject requests.

Processor (SellStein):

We process personal data only on your documented instructions. We provide the technical infrastructure, security measures, and support necessary for processing. We do not sell, share, or use personal data for our own purposes beyond providing the Service.

We process personal data for the following purposes, solely to provide the SellStein ecommerce platform services:

• Order processing, fulfillment, and delivery management
• Payment processing and fraud prevention
• Customer account management and authentication
• Transactional email delivery (order confirmations, shipping updates, invoices)
• Analytics and reporting (aggregated and per-store)

Categories of personal data processed:

• Identity data: names, email addresses, phone numbers, billing/shipping addresses
• Transaction data: order details, payment references, invoice records
• Technical data: masked IP addresses, device identifiers, browser information
• Communication data: support tickets, chat messages, email logs

We engage the following sub-processors to assist in providing the Service. Each sub-processor is bound by data processing agreements that provide at least the same level of protection as this DPA:

We will notify you of any intended changes to sub-processors, giving you the opportunity to object. The current list of sub-processors is maintained on this page and updated whenever changes occur.

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and the United Arab Emirates. We ensure appropriate safeguards for such transfers through:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission
• Data Processing Agreements with all sub-processors that include equivalent transfer mechanisms
• Technical measures including encryption in transit (TLS 1.3) and at rest (AES-256-GCM)

Cloudflare's edge network processes requests at the nearest point of presence, minimizing cross-border data transfers where possible.

We implement the following technical and organizational measures to protect personal data:

• Encryption: All data encrypted in transit (TLS 1.3) and sensitive fields encrypted at rest (AES-256-GCM). API keys and secrets are stored using authenticated encryption.
• Access Control: Role-based access control (RBAC) with per-business permission isolation. Session-based authentication with HttpOnly, Secure, SameSite cookies.
• IP Masking: All IP addresses are masked before storage (last octet replaced with .0) to minimize personal data retention.
• Monitoring: Security anomaly detection, rate limiting, CSRF protection, and automated threat pattern detection.
• Data Minimization: Email addresses are redacted in logs, stack traces are stripped from API responses, and data retention policies are enforced automatically via scheduled cleanup.
• Infrastructure Security: Zero-trust architecture on Cloudflare Workers with process-level isolation. No shared servers or databases between tenants.
• Incident Response: Documented procedures for security incident detection, assessment, containment, and notification.

In the event of a personal data breach that affects your customers' data, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach.

The notification will include:

• The nature of the breach, including the categories and approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

We will assist you in responding to data subject requests, including the right to:

• Access: Obtain confirmation of whether personal data is being processed and receive a copy of that data
• Rectification: Correct inaccurate or incomplete personal data
• Erasure: Request deletion of personal data (GDPR anonymization is applied; data is anonymized rather than hard-deleted to maintain order integrity)
• Portability: Receive personal data in a structured, commonly used, machine-readable format (JSON/CSV export)
• Restriction: Restrict processing of personal data under certain conditions
• Objection: Object to processing based on legitimate interests or direct marketing

The SellStein dashboard provides built-in tools for customer data export (Settings > Database > Export) and customer anonymization (Customers > [customer] > Delete/Anonymize) to help you fulfill these requests efficiently.

This DPA is effective for the duration of our processing of personal data on your behalf and terminates automatically when the underlying Terms of Service are terminated.

Upon termination, we will delete or return all personal data processed on your behalf within 30 days, unless retention is required by applicable law. You may export your data at any time through the dashboard before termination.

For questions about this DPA or to exercise your rights as a Controller, please contact us at: