Data Processing Agreement

Auftragsverarbeitungsvertrag (AVV) · Effective 9 June 2026.

This Agreement governs the processing of personal data carried out by us on your behalf under Art. 28 GDPR. It forms part of, and is subject to, our Terms of Service.

1. Parties

Controller: the merchant signing up for the service ("you" / "Customer").
Processor: Durn Studio UG (haftungsbeschränkt), Kienitzer Str. 5, 12053 Berlin, Germany ("we" / "Provider"). Contact: support@thebestand.com.

2. Subject matter and duration

Processing of personal data necessary to deliver the inventory forecasting service. Duration: term of the underlying service agreement.

3. Nature and purpose of processing

• Storage of merchant-provided order, product, and inventory data.
• Computation of demand forecasts and reorder recommendations.
• Delivery of action emails to team members you invite.

4. Categories of data

• Account identifiers (email, hashed password) for team members.
• Customer order data pulled from Shopify (order IDs, line items, quantities, totals, optionally the customer's email).
• Product / variant / inventory data.

5. Categories of data subjects

• Your team members with access to the workspace.
• Your customers, to the extent their order data is processed.

6. Technical and organizational measures (Art. 32 DSGVO)

• TLS in transit, encryption at rest (Supabase managed).
• Application-layer AES-256-GCM for the Shopify access token.
• Row-Level Security enforced at the database, not in application code.
• Hosting in EU regions (Supabase Frankfurt, Vercel EU edge, Railway EU).
• Audit log of every config change, accessible via the dashboard.
• Daily reconciliation + nightly forecast jobs run on hardened managed infrastructure.
• Access to production data restricted to authorized engineers.

7. Sub-processors

See Privacy Policy §4 for the current list. We give 30 days notice before adding or replacing a sub-processor.

8. Data subject rights

We provide self-service export and deletion endpoints. You remain the controller; we assist you in fulfilling data-subject requests.

9. Termination

On termination you may export all data via Settings → Data → Export my data. We delete or return all personal data within 30 days of termination, except where retention is required by law.

10. Audits

On reasonable notice you may audit our compliance with this Agreement. We may rely on independent third-party certifications (SOC 2, ISO 27001) to satisfy audit obligations once obtained.