Legal

Data Processing Agreement

For business customers who need a formal DPA for GDPR compliance.

Last updated: April 25, 2026

Framework

GDPR Art. 28

Breach notice

Within 72 hours

DPA contact

hello@listomize.com

Purpose

This Data Processing Agreement ("DPA") governs the processing of Personal Data by Listomize ("Processor") on behalf of our customers ("Controller") in compliance with GDPR Article 28.

Subject matter and duration

Processing is for the duration of your active subscription. Upon termination, data is deleted within 30 days unless legal obligations require retention.

Nature and purpose of processing

Operate the Listomize service for the Controller
Provide AI-generated outputs (titles, tags, descriptions, etc.)
Send transactional and account emails
Support and security operations

Types of personal data

Identification: name, email address
Account: hashed password, account preferences
Usage: feature usage logs, IP addresses (anonymized after 30 days)
Inputs: content submitted to AI tools (not stored long-term)

Categories of data subjects

End users of the Controller's account, typically Etsy sellers themselves.

Sub-processors

We engage the following categories of sub-processors to operate the service. All providers are SOC 2 Type II compliant (or equivalent) and bound by data-protection agreements. Customers will be notified at least 30 days before any change.

Edge hosting + CDN + WAF + DDoS protection — Global edge network provider (SOC 2 Type II)
Managed database + authentication — US-based managed Postgres provider (SOC 2 Type II)
Primary LLM API — US-based large-language-model API for text generation, keyword research & competitor analysis
Fallback LLM API — US-based open-weights LLM API for burst capacity & redundancy
Transactional email — US-based email-delivery provider (SOC 2)

Specific vendor list: We disclose the named legal entities and jurisdictions of each sub-processor to verified customers (signed DPA or active subscription) on request via hello@listomize.com. We respond within 2 business days.

Security measures

We implement appropriate technical and organizational measures including:

HTTPS/TLS 1.3 encryption in transit
Encryption at rest (AES-256) for the database
Hashed passwords (bcrypt with appropriate cost factor)
Strict access controls (least-privilege principle)
Rate limiting and intrusion detection on all APIs
Regular security audits and dependency updates

Data subject rights

We will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability) within 30 days of a verified request.

Data breach notification

We'll notify the Controller of any personal data breach within 72 hours of discovery, providing details of the breach, affected data, and mitigation steps.

International transfers

For EU/UK users, transfers to the US rely on Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent UK IDTA.

Audit rights

The Controller may request annual evidence of compliance (security certifications, audit reports). Physical audits require 30 days notice and may be subject to confidentiality agreements.

Termination and data deletion

Upon termination, all Personal Data is permanently deleted within 30 days, except where retention is required by law. Backups are purged within 90 days.

Sign this DPA

To formally execute this DPA, email hello@listomize.com with your company details. We'll send a countersigned PDF within 5 business days.

Need a signed copy for procurement? Send legal entity name, billing address, and signatory details to hello@listomize.com.