Data Processing Agreement

1. Scope and Purpose

This Data Processing Agreement (“DPA”) supplements the Terms of Service between BestWebby (“Processor”) and the merchant (“Controller”) and governs the processing of personal data of the Controller's customers and contacts in connection with the BestWebby platform.

2. Processing Instructions

BestWebby will process personal data only on documented instructions from the Controller (i.e., as configured in the Platform settings), unless required to do so by law.

3. Security Measures

BestWebby implements the following technical and organizational measures:

• AES-256 encryption at rest for all personal data
• TLS 1.3 encryption in transit
• Access controls with least-privilege principles
• Regular security assessments
• Incident response procedures with 72-hour breach notification

4. Sub-processors

BestWebby uses the sub-processors listed at bestwebby.com/security. BestWebby will notify Controllers before engaging new sub-processors.

5. Data Subject Rights

BestWebby will assist Controllers in responding to data subject requests (access, erasure, portability) within 30 days of request.

6. Termination

Upon termination of the merchant relationship, BestWebby will delete or return all personal data within 90 days, unless retention is required by law.

7. Governing Law

This DPA is governed by the laws of the Province of Ontario, Canada, and, where applicable, EU GDPR requirements.

8. Contact

For DPA inquiries: our contact form