Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between BookUploadPro ("Processor" or "we") and you ("Controller" or "you").

This DPA governs the processing of personal data subject to data protection laws including the General Data Protection Regulation (GDPR) and other applicable privacy legislation.

• "Controller" means you, the entity that determines the purposes and means of processing personal data.
• "Processor" means BookUploadPro, the entity that processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Data Subject" means the individual to whom the personal data relates.
• "GDPR" means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.

This DPA applies when you (as a Controller) use BookUploadPro services to process personal data, and such processing is subject to GDPR or other applicable data protection laws.

By using our service and processing personal data through it, you accept the terms of this DPA and authorize us to act as a Processor for your data.

Subject Matter:

Processing of personal data necessary to provide BookUploadPro services, including user authentication, usage tracking, and transmission to authorized publishing platforms.

Duration:

Processing continues for the duration of your service subscription or until data is deleted or returned as specified in this DPA.

Nature and Purpose:

We process data to operate, maintain, and improve our service; authenticate users; track usage limits; transmit metadata to publishing platforms; and provide customer support.

Types of Personal Data:

• Account information (name, email, credentials)
• Subscription and billing information
• Usage data and activity logs
• Metadata about uploaded content (titles, ISBNs, etc.)
• Technical information (IP addresses, device info)

Categories of Data Subjects:

• Your account users and administrators
• Authorized team members and collaborators
• Individuals whose data you upload through our service

As Processor, we agree to:

• Process personal data only in accordance with your documented instructions
• Ensure that persons authorized to process data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures to protect personal data
• Assist you in responding to data subject requests and privacy complaints
• Assist you in demonstrating compliance with GDPR obligations
• Notify you without undue delay of any data breaches affecting your data
• Return or delete all personal data upon termination (unless legal retention required)

As Controller, you agree to:

• Provide complete and accurate instructions for data processing
• Ensure you have lawful basis for processing personal data
• Obtain necessary consents from data subjects where required
• Respect data subject rights and respond to privacy requests appropriately
• Provide required privacy notices to data subjects
• Comply with all applicable data protection laws in your jurisdiction

We implement appropriate technical and organizational measures including:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and authentication mechanisms
• Regular security audits and vulnerability assessments
• Network and system monitoring for suspicious activity
• Secure data centers with physical security controls
• Regular backups with tested restoration procedures
• Incident response and breach notification procedures

Personal data may be processed in data centers located outside the European Economic Area (EEA). We ensure appropriate safeguards for such transfers, including:

• Standard Contractual Clauses (SCCs) where applicable
• Adequacy decisions where available
• Other lawful transfer mechanisms as provided under GDPR Article 46

We may engage sub-processors to assist in providing our service. We currently use the following sub-processors:

• Supabase: Authentication and database services
• NocoDB: Structured data management
• Hosting Providers: Cloud infrastructure and hosting
• Payment Processors: Transaction processing (if applicable)

We enter into written agreements with all sub-processors that impose equivalent data protection obligations. You grant us general authorization to use the sub-processors listed above.

We will assist you in responding to data subject requests, including rights to:

• Access their personal data
• Rectify inaccurate data
• Erase data ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing

If we receive a request directly from a data subject, we will forward it to you and await your instructions.

In the event of a personal data breach, we will notify you without undue delay (and no later than 72 hours after becoming aware) if feasible.

Our notification will include:

• Description of the nature of the breach
• Categories and number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Upon reasonable notice and during normal business hours, you may request information or audit rights to verify our compliance with this DPA and applicable data protection laws.

Any audits will be conducted in a manner that minimizes disruption to our operations and will be subject to appropriate confidentiality obligations.

We will retain personal data only for as long as necessary to provide our service and comply with legal obligations.

Upon termination of your account or upon your request, we will delete or return all personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

This DPA does not create any additional liability for either party beyond what is specified in the Terms of Service.

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service.

This DPA shall be governed by the laws applicable to the main Terms of Service, subject to any mandatory provisions of GDPR or other applicable data protection laws.