Data Processing Agreement

Last updated: March 23, 2026 — Effective Date: March 23, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between the Merchant ("Data Controller," "you," or "your") and Gemhubx and its affiliates, subsidiaries, successors, and assigns (collectively, "Gemhubx," "Data Processor," "we," "us," or "our") and governs the processing of Personal Data by Gemhubx on behalf of the Merchant in connection with the Gemhubx application, website at https://gemhubapp.com, APIs, and all related services (collectively, the "Service").

This DPA supplements and is incorporated into the Terms of Service and Privacy Policy. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.

BY INSTALLING OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS DPA. THIS DPA IS EFFECTIVE UPON INSTALLATION OF THE GEMHUBX APPLICATION ON YOUR STORE.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meaning given to them in the Terms of Service or as defined in applicable Data Protection Laws.

"Controller" (also referred to as "Data Controller") means the Merchant who determines the purposes and means of Processing Personal Data. For the purposes of this DPA, you are the Controller with respect to your end customers' Personal Data.
"Processor" (also referred to as "Data Processor") means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, Gemhubx acts as the Processor with respect to the Personal Data you instruct us to process through the Service.
"Sub-processor" means any third party engaged by Gemhubx to process Personal Data on behalf of the Controller in connection with the Service. Sub-processors include, but are not limited to, hosting providers, fulfillment suppliers, shipping carriers, and payment processors.
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), including but not limited to names, email addresses, postal addresses, telephone numbers, IP addresses, device identifiers, order information, payment references, and any other data that can be used, directly or indirectly, to identify a natural person.
"Processing" (and its cognates "Process," "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure, or destruction.
"Data Subject" means an identified or identifiable natural person whose Personal Data is Processed under this DPA. Data Subjects include, but are not limited to, the Merchant's end customers, the Merchant's employees and staff, and any individual whose Personal Data is transmitted to Gemhubx through the Service.
"Supervisory Authority" means an independent public authority established by a member state of the European Union pursuant to the General Data Protection Regulation (GDPR), or any equivalent regulatory body in another jurisdiction responsible for monitoring and enforcing compliance with Data Protection Laws.
"Data Protection Laws" means all applicable data protection and privacy legislation, including but not limited to the EU General Data Protection Regulation (GDPR) 2016/679, the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Brazilian General Data Protection Law (LGPD), and any other applicable data protection legislation in the relevant jurisdiction.
"Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of Personal Data to processors established in third countries, as approved by the European Commission or any competent Supervisory Authority.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Gemhubx or its Sub-processors.

2. Scope and Purpose

2.1 Roles of the Parties

The Merchant acts as the Data Controller with respect to Personal Data of its end customers and staff that is Processed through the Service. Gemhubx acts as the Data Processor, Processing Personal Data solely on behalf of and in accordance with the documented instructions of the Merchant as set forth in this DPA and the Agreement.

2.2 Purpose of Processing

Gemhubx Processes Personal Data solely for the purpose of providing the Service to the Merchant, including but not limited to:

Order fulfillment: Receiving, routing, and coordinating the fulfillment of orders placed by the Merchant's end customers, including transmitting order and shipping details to fulfillment suppliers and shipping carriers
Product management: Synchronizing product data, inventory levels, pricing, and availability between the Merchant's store and the Gemhubx platform
Shipping and logistics: Processing shipping addresses, generating shipping labels, obtaining tracking numbers, and providing delivery status updates to the Merchant
Customer communication: Transmitting order confirmations, shipping notifications, and tracking information on behalf of the Merchant
Account administration: Managing the Merchant's account, subscription, billing, and support requests
Platform operations: Maintaining, securing, and improving the infrastructure and functionality of the Service

Gemhubx shall not Process Personal Data for any purpose other than those specified in this DPA unless required by applicable law, in which case Gemhubx shall inform the Merchant of such legal requirement before Processing (unless prohibited by law from doing so).

2.3 Documented Instructions

Gemhubx shall Process Personal Data only on documented instructions from the Merchant, including with respect to transfers of Personal Data to a third country or international organization, unless required to do so by European Union or Member State law to which Gemhubx is subject. In such a case, Gemhubx shall inform the Merchant of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Merchant's instructions are documented in this DPA, the Terms of Service, and through the Merchant's use and configuration of the Service.

3. Duration of Processing

Gemhubx shall Process Personal Data for the duration of the Agreement between the Merchant and Gemhubx. Processing shall commence upon installation of the Gemhubx application on the Merchant's store and shall continue until the Agreement is terminated.

Upon termination of the Agreement:

Gemhubx shall continue to Process Personal Data for a transitional period of thirty (30) days following the effective date of termination, solely to the extent necessary to complete any pending order fulfillment and to allow the Merchant to retrieve or export their data
After the thirty (30) day transitional period, Gemhubx shall delete or anonymize all Personal Data in accordance with Section 14 of this DPA
Processing that is required to comply with legal retention obligations (such as tax, accounting, or regulatory requirements) shall continue for the duration mandated by applicable law, after which the data shall be securely deleted

4. Nature and Purpose of Processing

The nature of Processing carried out by Gemhubx includes the following operations on Personal Data:

4.1 Order Data Processing

Receiving order data from the Merchant's Shopify or WooCommerce store via API
Parsing and validating order details, including line items, quantities, and pricing
Routing orders to the appropriate fulfillment supplier based on product source
Transmitting customer shipping addresses and contact information to fulfillment suppliers for order dispatch
Recording and storing order status, payment status, and fulfillment status

4.2 Customer Data for Fulfillment

Collecting customer names, shipping addresses, and contact details as necessary to fulfill orders
Transmitting customer data to suppliers and shipping carriers solely for order dispatch and delivery
Storing customer data in encrypted databases for order tracking, return processing, and dispute resolution
Deleting or anonymizing customer data upon Merchant request or upon expiration of the retention period

4.3 Product Synchronization

Importing product data (titles, descriptions, images, variants, pricing, SKUs) from the Gemhubx catalog to the Merchant's store
Synchronizing inventory levels, pricing updates, and product availability between Gemhubx and the Merchant's store
Storing Shopify product IDs and variant mappings to maintain the link between the Merchant's store and the Gemhubx platform

5. Types of Personal Data Processed

Gemhubx Processes the following categories of Personal Data on behalf of the Merchant:

Data Category	Specific Data Elements	Purpose
Customer Identity	First name, last name	Order fulfillment, shipping labels, customer correspondence
Customer Contact	Email address, phone number	Order confirmations, shipping notifications, delivery coordination
Shipping Address	Street address, city, state/province, postal code, country	Order dispatch, shipping label generation, customs documentation
Billing Address	Street address, city, state/province, postal code, country	Order verification, fraud prevention
Order Details	Order ID, line items, product names, SKUs, quantities, unit prices, discounts, total amounts	Order processing, fulfillment routing, financial reconciliation
Payment Status	Payment status (paid, pending, refunded), payment method type (no card numbers)	Order release for fulfillment, refund processing
Shipping Information	Shipping method, carrier name, tracking number, estimated delivery date, delivery confirmation	Shipment tracking, delivery status updates
Merchant Account Data	Merchant name, email, store domain, store name, access tokens (encrypted), subscription details	Account management, API authentication, billing
Technical Data	IP addresses, browser type, device information, session identifiers	Security, fraud prevention, session management

Gemhubx does not Process or store credit card numbers, CVVs, bank account numbers, or other sensitive financial instruments. Payment processing is handled entirely by the Merchant's payment gateway (e.g., Shopify Payments, Stripe, PayPal).

6. Categories of Data Subjects

The following categories of Data Subjects may have their Personal Data Processed under this DPA:

6.1 Merchant's End Customers

Individuals who place orders through the Merchant's online store for products sourced via the Gemhubx platform. Their Personal Data is Processed for the purpose of order fulfillment, shipping, delivery, and post-sale support (such as returns and exchanges).

6.2 Merchant's Employees and Staff

Individuals who access and use the Gemhubx Service on behalf of the Merchant, including store owners, administrators, and authorized team members. Their Personal Data is Processed for account management, authentication, and access control purposes.

6.3 Gift Recipients

Individuals designated as recipients of orders where the shipping address differs from the billing address. Their Personal Data (name and shipping address) is Processed solely for order delivery purposes.

7. Processor Obligations

Gemhubx, as the Data Processor, undertakes the following obligations:

7.1 Processing on Documented Instructions

Gemhubx shall Process Personal Data only on documented instructions from the Merchant, as set forth in this DPA and the Agreement. If Gemhubx believes that an instruction from the Merchant infringes applicable Data Protection Laws, Gemhubx shall immediately inform the Merchant and may suspend the relevant Processing until the Merchant issues corrected instructions.

7.2 Confidentiality

Gemhubx shall ensure that all persons authorized to Process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of this DPA and the employment or engagement of the relevant personnel.

7.3 Security Measures

Gemhubx shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 9 of this DPA. These measures shall be regularly reviewed and updated as necessary to address evolving threats and vulnerabilities.

7.4 Sub-processor Requirements

Gemhubx shall not engage a Sub-processor without the prior general written authorization of the Merchant, which is granted by the Merchant's acceptance of this DPA. Before engaging a new Sub-processor, Gemhubx shall:

Notify the Merchant of the intended engagement, including the identity of the Sub-processor and the nature of the Processing
Enter into a written agreement with the Sub-processor that imposes data protection obligations no less protective than those set out in this DPA
Remain fully liable to the Merchant for the performance of the Sub-processor's obligations

The Merchant may object to the engagement of a new Sub-processor as described in Section 8.

7.5 Assistance with Data Subject Rights

Gemhubx shall assist the Merchant, by appropriate technical and organizational measures, insofar as possible, in fulfilling the Merchant's obligation to respond to Data Subject requests exercising their rights under Data Protection Laws, as further described in Section 11.

7.6 Assistance with Compliance Obligations

Gemhubx shall assist the Merchant in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (and equivalent provisions of other Data Protection Laws), taking into account the nature of Processing and the information available to Gemhubx. This includes assistance with:

Implementation of appropriate security measures
Notification of Personal Data breaches to the Supervisory Authority and Data Subjects
Data protection impact assessments
Prior consultation with the Supervisory Authority

7.7 Data Deletion and Return

Upon termination of the Agreement or upon the Merchant's written request, Gemhubx shall, at the Merchant's choice, delete or return all Personal Data to the Merchant and delete existing copies, unless European Union or Member State law requires storage of the Personal Data. Gemhubx shall certify deletion in writing upon the Merchant's request.

7.8 Audit and Information

Gemhubx shall make available to the Merchant all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Merchant or an auditor mandated by the Merchant, as further described in Section 13.

8. Sub-processors

The Merchant provides general authorization for Gemhubx to engage Sub-processors to assist in providing the Service, subject to the requirements of this Section.

8.1 Current Sub-processors

As of the effective date of this DPA, Gemhubx engages the following categories of Sub-processors:

Sub-processor Category	Purpose	Data Accessed
Cloud Infrastructure Provider	Hosting, storage, and operation of the Gemhubx platform and databases	All Personal Data stored within the Service (encrypted at rest)
Fulfillment Suppliers (QGold, GND)	Product sourcing, order fulfillment, and shipment dispatch	Customer names, shipping addresses, order details (line items, quantities)
Shipping Carriers	Package delivery, tracking, and delivery confirmation	Customer names, shipping addresses, phone numbers, package details
Payment Processors	Subscription billing and Merchant payment processing	Merchant billing information, subscription plan details
Content Delivery Network (Cloudflare)	Web application firewall, DDoS protection, content delivery, and SSL/TLS termination	IP addresses, request headers, session tokens (in transit)
Email Service Provider	Transactional email delivery (order notifications, account alerts)	Recipient email addresses, email content

8.2 Notification of New Sub-processors

Gemhubx shall notify the Merchant at least thirty (30) days in advance before engaging any new Sub-processor or replacing an existing Sub-processor. Notification shall be provided via email to the address associated with the Merchant's account or through an update to the Sub-processor list published on the Gemhubx website.

8.3 Right to Object

The Merchant may object to the engagement of a new Sub-processor by notifying Gemhubx in writing within fifteen (15) days of receiving the notification described in Section 8.2. The objection must be based on reasonable grounds relating to data protection. Upon receipt of an objection, Gemhubx shall:

Make commercially reasonable efforts to provide the Service without engaging the objected-to Sub-processor, or propose an alternative Sub-processor
If Gemhubx is unable to accommodate the objection within thirty (30) days, either party may terminate the Agreement upon written notice, and Gemhubx shall refund any prepaid fees covering the unused portion of the subscription term

8.4 Sub-processor Agreements

Gemhubx shall enter into written agreements with each Sub-processor that impose data protection obligations substantially equivalent to those set out in this DPA. Gemhubx shall remain fully responsible for the acts and omissions of its Sub-processors as if they were the acts and omissions of Gemhubx itself.

9. Security Measures

Gemhubx implements and maintains the following technical and organizational security measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, or disclosure:

9.1 Encryption

Encryption in transit: All data transmitted between the Merchant's browser and Gemhubx servers, and between Gemhubx servers and third-party APIs, is encrypted using TLS 1.2 or higher with strong cipher suites
Encryption at rest: Sensitive data including access tokens, API credentials, and customer Personal Data stored in databases is encrypted using AES-256 encryption
Key management: Encryption keys are securely stored, rotated on a regular schedule, and access to keys is restricted to authorized systems and personnel

9.2 Authentication and Access Control

Shopify OAuth 2.0: Shopify Merchants authenticate through Shopify's OAuth 2.0 protocol, ensuring that access tokens are securely obtained and stored
HMAC-SHA256 webhook verification: All incoming webhooks from Shopify and other sources are validated using HMAC-SHA256 signature verification to ensure authenticity and integrity
Role-based access control (RBAC): Access to systems, databases, and Personal Data is restricted based on the principle of least privilege. Personnel are granted access only to the data and systems necessary for their specific role
Password security: All user passwords are hashed using bcrypt with appropriate cost factors. Plaintext passwords are never stored or logged

9.3 Infrastructure Security

Firewall protection: Server infrastructure is protected by configured firewalls that restrict inbound and outbound traffic to only necessary ports and services (HTTP/80, HTTPS/443, SSH/22)
Cloudflare Web Application Firewall (WAF): All traffic to the Service is routed through Cloudflare, providing DDoS protection, bot mitigation, and web application firewall capabilities
Secure session management: Sessions are stored server-side in the database with secure, HTTP-only, SameSite=None cookies for embedded application compatibility. Sessions are invalidated upon logout and expire after a defined period of inactivity
Regular patching: Operating systems, application frameworks, and dependencies are regularly updated to address known security vulnerabilities

9.4 Organizational Measures

Confidentiality agreements: All personnel with access to Personal Data are bound by confidentiality obligations
Access reviews: Access rights are periodically reviewed and promptly revoked when no longer necessary
Incident response procedures: Documented procedures for detecting, escalating, investigating, and remediating Security Incidents
Data minimization: Only Personal Data that is necessary for the specified Processing purposes is collected and retained
Backup and recovery: Regular encrypted backups are performed and tested to ensure data can be restored in the event of data loss

10. Data Breach Notification

10.1 Notification to Merchant

In the event of a Security Incident involving Personal Data Processed on behalf of the Merchant, Gemhubx shall notify the Merchant without undue delay and in any event within seventy-two (72) hours after becoming aware of the Security Incident. Notification shall be provided to the email address associated with the Merchant's account.

10.2 Content of Notification

The notification shall include, to the extent reasonably available at the time of notification:

A description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected
The name and contact details of the point of contact at Gemhubx from whom more information can be obtained
A description of the likely consequences of the Security Incident
A description of the measures taken or proposed to be taken by Gemhubx to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects

Where it is not possible to provide all information at the same time, Gemhubx shall provide the information in phases without undue delay as it becomes available.

10.3 Cooperation and Investigation

Gemhubx shall:

Cooperate fully with the Merchant in investigating, mitigating, and remediating the Security Incident
Take all reasonable and appropriate steps to contain, investigate, and remediate the Security Incident and to minimize any ongoing risk to Data Subjects
Preserve all relevant evidence and logs related to the Security Incident
Assist the Merchant in meeting its notification obligations to Supervisory Authorities and affected Data Subjects under applicable Data Protection Laws
Not make any public statement regarding a Security Incident without first consulting the Merchant, unless required by applicable law

10.4 Security Incident Response Policy

Gemhubx maintains a Security Incident Response Policy that documents the procedures for detection, containment, investigation, notification, and post-incident review. Details are available in our Security Policy. The Merchant may request a summary of the Incident Response Policy at any time by contacting [email protected].

11. Data Subject Rights

11.1 Merchant Responsibility

The Merchant, as the Data Controller, is responsible for responding to Data Subject requests exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, portability, restriction of Processing, and objection.

11.2 Gemhubx Assistance

Gemhubx shall assist the Merchant in responding to Data Subject requests by:

Promptly forwarding any Data Subject request received directly by Gemhubx to the Merchant, unless otherwise instructed
Providing the Merchant with the technical capability to access, export, rectify, or delete Personal Data through the Service's interface or API
Upon the Merchant's written request, searching for and providing all Personal Data held about a specific Data Subject
Upon the Merchant's written request, deleting or anonymizing all Personal Data held about a specific Data Subject, to the extent technically feasible and not in conflict with legal retention obligations
Providing data in a structured, commonly used, machine-readable format when requested for data portability purposes

11.3 Response Time

Gemhubx shall respond to the Merchant's requests for assistance with Data Subject rights within forty-eight (48) hours of receiving the request. Where a request requires extensive technical work (such as extracting data from backup systems), Gemhubx shall acknowledge the request within forty-eight (48) hours and provide a timeline for completion.

11.4 GDPR Webhook Compliance

Gemhubx implements automated processing for the following Shopify-mandated GDPR webhooks:

Customer Data Request (customers/data_request): Upon receiving a customer data request webhook from Shopify, Gemhubx compiles and provides all Personal Data held about the specified customer
Customer Redact (customers/redact): Upon receiving a customer redact webhook from Shopify, Gemhubx permanently deletes or anonymizes all Personal Data associated with the specified customer
Shop Redact (shop/redact): Upon receiving a shop redact webhook from Shopify (following app uninstallation and the required waiting period), Gemhubx permanently deletes or anonymizes all data associated with the Merchant's store

All GDPR webhooks are validated using HMAC-SHA256 signature verification before processing.

12. International Data Transfers

12.1 Transfer Locations

Personal Data Processed by Gemhubx may be transferred to, stored, and Processed in the United States and other countries where Gemhubx, its affiliates, or its Sub-processors maintain facilities. The Merchant acknowledges and consents to such transfers as necessary for the provision of the Service.

12.2 Transfer Safeguards

Where Personal Data originating from the European Economic Area (EEA), the United Kingdom, or Switzerland is transferred to a country that has not been deemed to provide an adequate level of data protection by the relevant authority, Gemhubx shall ensure that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs): Gemhubx shall enter into the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) with the Merchant and/or its Sub-processors, as applicable. The SCCs are hereby incorporated by reference into this DPA.
UK International Data Transfer Addendum: For transfers from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (as issued by the UK Information Commissioner's Office) shall apply.
Supplementary measures: Gemhubx shall implement additional technical, contractual, and organizational measures as necessary to ensure that the transferred data is afforded a level of protection that is essentially equivalent to that guaranteed within the EEA, UK, or Switzerland.

12.3 Transfer Impact Assessments

Upon the Merchant's request, Gemhubx shall cooperate in conducting a transfer impact assessment to evaluate whether the laws and practices of the destination country may impinge on the effectiveness of the transfer safeguards, and to identify and implement supplementary measures where necessary.

13. Audits

13.1 Audit Rights

The Merchant, or an independent third-party auditor appointed by the Merchant, may audit Gemhubx's compliance with this DPA. Audits may include inspections of Gemhubx's data processing facilities, systems, policies, and procedures relevant to the Processing of the Merchant's Personal Data.

13.2 Audit Procedures

The Merchant shall provide Gemhubx with at least thirty (30) days' prior written notice of an intended audit, including the proposed scope, duration, and start date. Audits shall be conducted:

During regular business hours
In a manner that does not unreasonably disrupt Gemhubx's business operations
No more than once per calendar year, unless a Security Incident has occurred or a Supervisory Authority requires an additional audit
Subject to reasonable confidentiality obligations to protect Gemhubx's proprietary information and the data of other customers

13.3 Audit Costs

Each party shall bear its own costs in connection with the audit. If an audit reveals a material breach of this DPA by Gemhubx, Gemhubx shall bear the reasonable costs of the audit and shall promptly remediate the identified deficiencies at its own expense.

13.4 Alternative Audit Mechanisms

In lieu of an on-site audit, Gemhubx may provide the Merchant with:

A summary of the results of any relevant third-party security audits or certifications (such as SOC 2 reports, ISO 27001 certifications, or penetration test summaries)
Written responses to the Merchant's reasonable security and compliance questionnaires
Documentation demonstrating compliance with the security measures described in Section 9

14. Term and Termination

14.1 Effective Date

This DPA becomes effective upon the Merchant's installation of the Gemhubx application on their Shopify or WooCommerce store, or upon the Merchant's creation of a Gemhubx account, whichever occurs first.

14.2 Duration

This DPA shall remain in effect for the duration of the Agreement. If the Agreement terminates, this DPA shall automatically terminate, subject to the data retention and deletion obligations set forth herein.

14.3 Data Handling Upon Termination

Upon termination of the Agreement, Gemhubx shall:

Cease all Processing of Personal Data on behalf of the Merchant, except as necessary to fulfill the obligations described in this Section
Provide the Merchant with the ability to export their data in a structured, commonly used, machine-readable format for a period of thirty (30) days following termination
After the thirty (30) day period, permanently delete all Personal Data from Gemhubx's primary systems, including databases, file storage, and application caches
Delete Personal Data from backup systems within ninety (90) days following termination, as part of Gemhubx's regular backup rotation cycle
Upon the Merchant's written request, provide a written certification confirming that all Personal Data has been deleted in accordance with this Section

14.4 Legal Retention Exceptions

Notwithstanding the foregoing, Gemhubx may retain Personal Data to the extent and for the duration required by applicable law, regulation, or legal process (including tax, accounting, and regulatory retention requirements). Any retained data shall be protected in accordance with this DPA and shall not be Processed for any purpose other than the purpose for which retention is required. Upon expiration of the applicable retention period, such data shall be securely deleted.

15. Liability

15.1 Liability Cap

The total aggregate liability of each party under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA shall be construed to limit or exclude liability to the extent such limitation or exclusion is not permitted by applicable law.

15.2 Indemnification

Each party shall indemnify, defend, and hold harmless the other party from and against any losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to the indemnifying party's breach of this DPA, to the extent permitted under the Terms of Service.

15.3 Data Subject Claims

Where a Data Subject brings a claim directly against Gemhubx for a breach of this DPA, the Merchant shall indemnify Gemhubx for any costs, charges, damages, expenses, or losses arising from such claim to the extent that the claim arose from the Merchant's breach of its obligations under Data Protection Laws or this DPA.

16. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions, except to the extent that applicable Data Protection Laws require the application of the law of another jurisdiction.

For Merchants located in the European Economic Area, this DPA shall be governed by the law of the EU Member State in which the Merchant is established, to the extent required by the GDPR. For Merchants located in the United Kingdom, this DPA shall be governed by the laws of England and Wales, to the extent required by the UK Data Protection Act 2018.

Any disputes arising under or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions set out in the Terms of Service.

17. General Provisions

17.1 Entire Agreement

This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes all prior or contemporaneous representations, understandings, agreements, or communications relating to the Processing of Personal Data.

17.2 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

17.3 Amendments

Gemhubx may amend this DPA from time to time to reflect changes in applicable Data Protection Laws, industry standards, or our Processing activities. Material changes will be communicated to the Merchant via email or through the Service at least thirty (30) days before they take effect. The Merchant's continued use of the Service after the effective date of any amendment constitutes acceptance of the amended DPA.

17.4 No Waiver

The failure of either party to enforce any right or provision of this DPA shall not constitute a waiver of such right or provision. Any waiver must be in writing and signed by an authorized representative of the waiving party.

17.5 Assignment

The Merchant may not assign or transfer its rights or obligations under this DPA without Gemhubx's prior written consent. Gemhubx may assign this DPA to any affiliate, successor, or acquirer of all or substantially all of its business or assets, provided that the assignee agrees to be bound by the terms of this DPA.

18. Contact

If you have questions about this Data Processing Agreement, wish to exercise your rights, or need to report a Security Incident, please contact us:

Gemhubx — Data Protection
Email: [email protected]
Website: https://gemhubapp.com
Support: [email protected]

For urgent Security Incident reports, please email [email protected] with the subject line "URGENT: Security Incident Report" and include as much detail as possible.