layer logo

Data Processing Addendum

Last Updated: July 17, 2025

This Data Processing Addendum (“DPA”) is entered into by and between the Customer (“Controller” or “Merchant”) and Algorithmic Labs, LLC, a Delaware limited liability company (“Processor” or “Vaybel”). This DPA is incorporated into and forms an integral part of the Vaybel Terms of Service (the “Agreement”) between Vaybel and the Merchant to reflect the parties’ agreement with regard to the Processing of Personal Data.

1. Definitions

“Data Protection Laws” means all applicable laws and regulations relating to data privacy and security, including but not limited to the General Data Protection Regulation (EU 2016/679) (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”).

“Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” shall have the meanings ascribed to them in the GDPR.

“Controller” and “Processor” shall have the meanings ascribed to them in the GDPR. For the purposes of this DPA, the Merchant is the Controller, and Vaybel is the Processor.

“Services” refers to the services provided by Vaybel to the Merchant pursuant to the Agreement.

“Sub-processor” means any third-party processor engaged by Vaybel to Process Personal Data in connection with the Services.

2. Processing of Personal Data

2.1. Roles of the Parties

The parties acknowledge and agree that with respect to the Processing of Personal Data, the Merchant is the Controller and Vaybel is the Processor.

2.2. Merchant’s Processing of Personal Data

The Merchant shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. The Merchant’s instructions to Vaybel for the Processing of Personal Data shall comply with Data Protection Laws.

2.3. Vaybel’s Processing of Personal Data

Vaybel shall only Process Personal Data on behalf of and in accordance with the Merchant’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and this DPA; and (ii) Processing for any other purposes as subsequently instructed by the Merchant.

2.4. Details of the Processing

The subject matter, duration, nature and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are set forth in Annex 1.

3. Obligations of the Processor

3.1. Confidentiality

Vaybel shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and are subject to obligations of confidentiality.

3.2. Security

Vaybel shall implement and maintain appropriate technical and organizational measures to protect the Personal Data from a Personal Data Breach, as described in Annex 3.

3.3. Sub-processing

  • a. The Merchant provides general written authorization for Vaybel to engage Sub-processors to support the provision of the Services. Vaybel shall maintain a current list of its Sub-processors, as set forth in Annex 2.
  • b. Vaybel shall provide the Merchant with prior written notice of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Merchant the opportunity to object to such changes.
  • c. Where Vaybel engages a Sub-processor, it shall do so by way of a written contract which imposes on the Sub-processor the same data protection obligations as are imposed on Vaybel under this DPA.

3.4. Data Subject Rights

Taking into account the nature of the Processing, Vaybel shall provide reasonable assistance to the Merchant, to the extent possible, for the fulfillment of the Merchant’s obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws. Vaybel will direct any such requests it receives to the Merchant.

3.5. Personal Data Breach

Vaybel shall notify the Merchant no later than 48 hours after becoming aware of a Personal Data Breach. Vaybel shall provide the Merchant with sufficient information to allow the Merchant to meet any obligations to report the breach to a supervisory authority.

3.6. Return or Deletion of Data

Upon termination of the Agreement, Vaybel shall, at the choice of the Merchant, delete or return all Personal Data to the Merchant, unless applicable law requires storage of the Personal Data.

3.7. Audit Rights

Upon written request, no more than once per year, Vaybel will make available SOC 2, ISO-27001, or similar reports, and will allow Merchant (or its independent auditor) to conduct a reasonable audit of Vaybel’s data-processing facilities, subject to reasonable notice and confidentiality.

3.8. Assistance with DPIAs

At Merchant’s reasonable request, Vaybel will assist Merchant with Data-Protection Impact Assessments and consultations with supervisory authorities, in each case solely in relation to Processing of Personal Data by Vaybel.

4. International Transfers

Vaybel may transfer and process Personal Data in the United States and other jurisdictions where its Sub-processors are located. For any transfers of Personal Data from the European Economic Area, Switzerland, or the United Kingdom to a country not deemed to provide an adequate level of data protection, Vaybel shall ensure that appropriate safeguards, such as the Standard Contractual Clauses (SCCs), are in place.

For transfers from the EEA, the parties agree that the EU Standard Contractual Clauses 2021/914 (Module 2, Controller-to-Processor) are incorporated by reference. The Annexes of the SCCs shall be deemed completed with the information set out in the Annexes of this DPA. For transfers subject to the UK GDPR, the parties adopt the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0).

5. General Provisions

5.1. Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the subject matter of data processing.

5.2. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law principles.

5.3. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations of liability provisions of the Agreement.

Annex 1: Details of Processing

A. Subject Matter and Duration

Subject Matter: The Processing of Personal Data in connection with the provision of the Vaybel Services under the Agreement.

Duration: For the term of the Agreement, and until all Personal Data is deleted or returned in accordance with the DPA.

B. Nature and Purpose of Processing

  • To provide the Services to the Merchant, including AI-powered content generation, e-commerce marketplace integration, social media automation, and checkout solutions.
  • To process customer orders on behalf of the Merchant through the Checkout Link service and facilitate fulfillment with POD Providers.
  • To perform data analysis to improve the Services, including training AI models.
  • To communicate with the Merchant for support and service-related notices.

C. Types of Personal Data

  • Merchant Data: Name, email address, phone number, billing information, account credentials.
  • Customer Data (Processed on behalf of Merchant): Customer name, email address, shipping address, order details, transaction information.
  • Content Data: AI tool inputs, text prompts, and images uploaded by the Merchant.

D. Categories of Data Subjects

  • Merchants/Users who have registered for an account on the Vaybel Platform.
  • Customers of the Merchant whose information is processed through the Checkout Link service.

Annex 2: Sub-processor List

The Merchant agrees that Vaybel may use the following Sub-processors to provide the Services:

Category
Sub-processor
Purpose
Cloud Infrastructure
Amazon Web Services, Inc. (AWS)
Cloud hosting and storage services.
Payment Processing
Stripe, Inc.
Processing of subscription fees and customer payments.
Order Fulfillment
Printful, Inc.
Fulfilling print-on-demand orders for Merchants.
Marketplace & Social
TikTok Inc., Etsy, Inc., Shopify Inc., Meta Platforms, Inc., Google LLC (YouTube)
Integrations for product listing and social content creation.
AI & ML Models
Google LLC (Gemini/Vertex AI), OpenAI L.L.C., Anthropic, PBC (Claude), ElevenLabs, Fal.ai, Replicate, Inc.
Providing underlying AI model capabilities for content generation.
Third-Party Services
SerpApi, LLC
Specialized API services for audio generation and data retrieval.

Annex 3: Security Measures

Vaybel implements and maintains the following technical and organizational security measures:

  • Access Control: Access to Personal Data is limited to authorized personnel with a legitimate business need. Multi-factor authentication is used where appropriate.
  • Encryption: Personal Data is encrypted in transit using industry-standard protocols (e.g., TLS) and at rest.
  • Data Minimization: Vaybel collects and processes only the Personal Data necessary to provide the Services.
  • Breach Detection and Response: Vaybel maintains systems to monitor for and respond to security incidents and will follow the data breach notification procedures outlined in this DPA.
  • Personnel Security: All personnel with access to Personal Data are subject to confidentiality obligations and receive regular data security training.