Last Updated: November 13, 2025

This Data Processing Addendum (the “Addendum”) forms part of the Terms of Service (the “Agreement”) between MedusaJS, Inc. (“Company”) and the entity or individual using the Services (“Customer”).

This Addendum describes how Company processes and protects personal data on behalf of Customer when providing the Cloud Services and ensures compliance with Article 28 of the General Data Protection Regulation (GDPR).

1. ROLES AND RESPONSIBILITIES

1.1 Customer acts as the data controller, determining the purposes and means of processing personal data.

1.2 Company acts as the data processor, processing personal data only on behalf of Customer and according to documented instructions or as required by law.

2. SUBJECT MATTER AND PURPOSE

2.1 Company processes personal data only to provide, maintain, and improve the Services.

2.2 Processing continues for as long as Customer uses the Services and until personal data processed for Customer is deleted or returned as described in this Addendum.

3. TYPES OF PERSONAL DATA

3.1 The personal data processed by Company may include names, contact details, order information, IP addresses, and other data submitted through the Services.

3.2 Data subjects may include customers, employees, contractors, and other individuals whose data Customer decides to process.

4. COMPANY OBLIGATIONS

4.1 Company processes personal data only on Customer instructions unless required by law, ensures that authorised personnel are bound by confidentiality, and maintains appropriate technical and organisational measures to protect personal data.

4.2 Company assists Customer, where reasonably possible, in fulfilling obligations under applicable data protection laws, including responding to data subject requests and cooperating with supervisory authorities.

4.3 Company notifies Customer without undue delay if it becomes aware of a personal data breach.

4.4 Company uses sub-processors only as described in section 5 and deletes or returns personal data after the Agreement ends as described in section 8.

5. SUB-PROCESSORS

5.1 Customer authorises Company to use sub-processors to help provide the Services.

5.2 Company ensures that all sub-processors are bound by written terms providing an equivalent level of data protection.

5.3 Company remains responsible for the actions of sub-processors.

6. SECURITY

6.1 Company maintains technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, loss, alteration, or disclosure.

7. INTERNATIONAL DATA TRANSFERS

7.1 If personal data is transferred outside the European Economic Area, the United Kingdom, or another jurisdiction with equivalent data protection laws, Company ensures those transfers comply with applicable legal requirements, including the use of Standard Contractual Clauses or another lawful mechanism.

8. DATA DELETION AND RETURN

8.1 Upon Customer request, Company deletes or returns all personal data processed on behalf of Customer, unless retention is required by law.

8.2 If Customer requests deletion, Company securely removes the data from its systems within a reasonable time and confirms completion.

9. LIABILITY AND GOVERNING LAW

9.1 Each party’s liability under this Addendum is subject to the limitations set out in the Agreement.

9.2 This Addendum is governed by the same law and jurisdiction as the Agreement.