Legal

Data Processing Addendum

Last updated June 30, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer,” “you”) and AutoPrintFarm LLC (“AutoPrintFarm,” “we”) and applies whenever we process personal data on your behalf in providing the Service. It reflects our obligations under applicable data-protection laws, including the EU and UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act as amended (“CCPA/CPRA”). If you require a countersigned copy, email legal@autoprintfarm.com.

1. Roles

For the personal data of your buyers and customers that we process to sync and fulfill your orders (the “Customer Personal Data”), you are the controller / business and AutoPrintFarm is the processor / service provider. We process Customer Personal Data only on your documented instructions and only to provide the Service, and we are prohibited from selling or sharing it or retaining, using, or disclosing it for any purpose other than providing the Service or as permitted by the CCPA/CPRA. We certify that we understand and will comply with these restrictions. (As a separate matter of contract between Wix and AutoPrintFarm, we are treated as an independent controller of a Wix merchant’s own account data; the merchant’s buyer data remains processed on the merchant’s behalf under this DPA.)

2. Scope and instructions

The subject matter of the processing is the provision of the Service; the duration is the term of your use; the nature and purpose are receiving, routing, fulfilling, and shipping your orders and operating your workspace; the types of personal data include buyer/customer name, shipping and billing address, email, phone, order contents, and related fulfillment data; and the data subjects are your buyers and customers. Your use of the Service, and your configuration of it, constitute your instructions. We’ll tell you if we believe an instruction violates applicable law.

3. Confidentiality and security

We keep Customer Personal Data confidential and ensure that personnel authorized to process it are bound by confidentiality obligations. We implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, including encryption in transit and at rest, tenant isolation, role-based access controls and access logging, isolation of sensitive stores, and an incident-response process, consistent with the “Security” section of our Privacy Policy.

4. Subprocessors

You authorize us to engage subprocessors to process Customer Personal Data. Our current subprocessors are listed on our Subprocessors page. We impose data-protection obligations on each subprocessor that are no less protective than those in this DPA, and we remain responsible for their performance. We’ll provide a mechanism to be notified of new subprocessors and a reasonable opportunity to object on legitimate data-protection grounds.

5. Data-subject requests and platform deletion signals

Taking into account the nature of the processing, we will assist you, by appropriate technical and organizational measures, in responding to requests from data subjects to exercise their rights, and in honoring the deletion mechanisms the marketplaces require. As described in our Privacy Policy, we implement and honor Shopify’s compliance webhooks (customers/data_request, customers/redact, shop/redact) and eBay’s Marketplace Account Deletion notifications, and we delete or irreversibly anonymize Customer Personal Data within 30 days of disconnection, account closure, a valid deletion request, or the data no longer being needed, subject to legally required retention.

6. Personal-data breach

We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and provide information reasonably available to us to help you meet your own notification obligations. Where we act on behalf of a connected platform, we will also notify that platform as its rules require.

7. International transfers

AutoPrintFarm processes data in the United States. Where Customer Personal Data of individuals in the EEA, UK, or Switzerland is transferred to us, the parties agree that the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) are incorporated by reference and apply to that transfer, with AutoPrintFarm as “data importer.”

8. Audits

On reasonable written request, and subject to confidentiality, we’ll make available information necessary to demonstrate compliance with this DPA and contribute to audits as required by applicable law, which may be satisfied through documentation and written responses to a security questionnaire.

9. Return and deletion on termination

On termination of the Service, we will delete or, at your choice and where feasible, return Customer Personal Data, except for copies we must retain by law, which remain subject to this DPA.

10. General

This DPA is incorporated into and subject to the Terms of Service, including its limitations of liability. In case of conflict between this DPA and the Terms of Service regarding the processing of Customer Personal Data, this DPA controls. Questions: legal@autoprintfarm.com.

This document is a reasonable draft intended for review by your legal counsel; it is not legal advice.